W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity strawman.

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jan 2014 09:18:55 +0100
Message-ID: <CAKXHy=euxFn_74uUVDm+oKFuKQrez+PVuqdGko_vc196aiMOdg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Ilya Grigorik <igrigorik@google.com>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>, Brad Hill <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>, Tab Atkins <tabatkins@google.com>, William Chan <willchan@google.com>
Another interesting use case is #2 in the spec: advertising networks
generally review submitted ads in some way, approve them, and then delegate
the actual _serving_ of ad content out to third-party servers. This often
goes awry in spectacularly malicious ways.

It would be valuable for advertising networks to be able to specify
integrity metadata for ad content to ensure that _exactly_ the reviewed ad
is served, and no malicious substitutions are made.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jan 9, 2014 at 12:45 AM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > may want to use a third-party service to host this resource (e.g. a CDN),
> > but I don't (entirely) trust the third party and want to make sure they
> > don't swap the content on me, so to guard against that I'm going to
> specify
> > an integrity hash in the markup.
> >
> > Does that sound about right?
>
> yes. That's the main motivation of the specification.
>
> =Dev
>
Received on Thursday, 9 January 2014 08:19:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC