W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Ian Melven <ian.melven@gmail.com>
Date: Mon, 21 Oct 2013 10:26:27 -0700
Message-ID: <CA+0m=FdRrGSmQ2Ybgu_Tc8XqcT3h79tjeBb9w4VrUG9hWyBK=A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Yoav Weiss <yoav@yoav.ws>, Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
fwiw, +1 for hashes (and nonces) only applying to inline resources and
dealing with external resources in a separate
spec.

ian

On Mon, Oct 21, 2013 at 2:19 AM, Mike West <mkwst@google.com> wrote:

> It seems like there's consensus that hashes should only apply to inline
> resources.
>
> I do think there's a good deal of value in dealing with hashing external
> resources, but I'd agree with Trevor's suggestion that that ought to be
> dealt with in a separate specification.
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>
>
> On Sat, Oct 19, 2013 at 11:52 PM, Yoav Weiss <yoav@yoav.ws> wrote:
>
>> As one of the supporters of script/style hashes, I have no use case for
>> external script/style hashes, only for inline ones.
>>
>>
>
Received on Monday, 21 October 2013 17:26:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC