Re: [integrity]: Origin confusion attacks.

> I don't have a good mitigation idea off the top of my head, but I agree it's
> something we should worry about.

A moderately ugly solution would be to require CSP policies to
explicitly specify permitted hashes; integrity cache would be bypassed
if the hash is not whitelisted, always resulting in a request being
sent or the document being retrieved from the regular browser cache.

/mz

Received on Thursday, 9 January 2014 15:27:18 UTC