W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Frederik Braun <fbraun@mozilla.com>
Date: Fri, 10 Jan 2014 10:13:27 +0100
Message-ID: <52CFB9B7.7000809@mozilla.com>
To: public-webappsec@w3.org, pete@foundeo.com
On 10.01.2014 10:01, Mike West wrote:
> ..
> 3. A manual opt-in solution might be reasonable, however. One of the
> following approaches might make sense:
> 
>     1. We could add an 'unsafe-integrity' source expression to CSP's
> grammar.
>     2. We could look at the integrity-based cache only if a nonce was
> applied to the script.
>     3. We could take Michal's approach, and whitelist external hashes.
>     4. Moar ideas?
> 
> WDYT?
> 

Opt-in sounds preferable. I find Michal's approach more elegant, but am
not overly opposed to the second either.
Received on Friday, 10 January 2014 09:13:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC