Re: [integrity]: Origin confusion attacks.

CSP 1.1 does support hashing for inlined scripts. I think it's worth
sitting down to think about how that might be better made to mesh with this
spec.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jan 9, 2014 at 4:26 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> > I don't have a good mitigation idea off the top of my head, but I agree
> it's
> > something we should worry about.
>
> A moderately ugly solution would be to require CSP policies to
> explicitly specify permitted hashes; integrity cache would be bypassed
> if the hash is not whitelisted, always resulting in a request being
> sent or the document being retrieved from the regular browser cache.
>
> /mz
>

Received on Thursday, 9 January 2014 15:30:40 UTC