W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 9 Jan 2014 07:26:30 -0800
Message-ID: <CALx_OUBxceyfaZ_d8TpwBuLD34985HmJfPMTUw_0iQ+Ce_Je4A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, btoews@github.com, Joel Weinberger <jww@google.com>, Frederik Braun <fbraun@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
> I don't have a good mitigation idea off the top of my head, but I agree it's
> something we should worry about.

A moderately ugly solution would be to require CSP policies to
explicitly specify permitted hashes; integrity cache would be bypassed
if the hash is not whitelisted, always resulting in a request being
sent or the document being retrieved from the regular browser cache.

/mz
Received on Thursday, 9 January 2014 15:27:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC