W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jan 2014 16:29:47 +0100
Message-ID: <CAKXHy=daE7PM2cedhcjEduBWuSvZdpiam9OLEVpmcYiv53KpvA@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Ben Toews <btoews@github.com>, Joel Weinberger <jww@google.com>, Frederik Braun <fbraun@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
CSP 1.1 does support hashing for inlined scripts. I think it's worth
sitting down to think about how that might be better made to mesh with this
spec.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jan 9, 2014 at 4:26 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> > I don't have a good mitigation idea off the top of my head, but I agree
> it's
> > something we should worry about.
>
> A moderately ugly solution would be to require CSP policies to
> explicitly specify permitted hashes; integrity cache would be bypassed
> if the hash is not whitelisted, always resulting in a request being
> sent or the document being retrieved from the regular browser cache.
>
> /mz
>
Received on Thursday, 9 January 2014 15:30:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC