CSP 1.1 does support hashing for inlined scripts. I think it's worth sitting down to think about how that might be better made to mesh with this spec. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Jan 9, 2014 at 4:26 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > > I don't have a good mitigation idea off the top of my head, but I agree > it's > > something we should worry about. > > A moderately ugly solution would be to require CSP policies to > explicitly specify permitted hashes; integrity cache would be bypassed > if the hash is not whitelisted, always resulting in a request being > sent or the document being retrieved from the regular browser cache. > > /mz >Received on Thursday, 9 January 2014 15:30:40 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC