Re: [integrity]: Origin confusion attacks. from Mike West on 2014-01-09 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jan 2014 16:29:47 +0100
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Ben Toews <btoews@github.com>, Joel Weinberger <jww@google.com>, Frederik Braun <fbraun@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <CAKXHy=daE7PM2cedhcjEduBWuSvZdpiam9OLEVpmcYiv53KpvA@mail.gmail.com>

CSP 1.1 does support hashing for inlined scripts. I think it's worth
sitting down to think about how that might be better made to mesh with this
spec.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Jan 9, 2014 at 4:26 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> > I don't have a good mitigation idea off the top of my head, but I agree
> it's
> > something we should worry about.
>
> A moderately ugly solution would be to require CSP policies to
> explicitly specify permitted hashes; integrity cache would be bypassed
> if the hash is not whitelisted, always resulting in a request being
> sent or the document being retrieved from the regular browser cache.
>
> /mz
>

Received on Thursday, 9 January 2014 15:30:40 UTC