Re: [integrity]: Origin confusion attacks.

On 10.01.2014 10:01, Mike West wrote:
> ..
> 3. A manual opt-in solution might be reasonable, however. One of the
> following approaches might make sense:
> 
>     1. We could add an 'unsafe-integrity' source expression to CSP's
> grammar.
>     2. We could look at the integrity-based cache only if a nonce was
> applied to the script.
>     3. We could take Michal's approach, and whitelist external hashes.
>     4. Moar ideas?
> 
> WDYT?
> 

Opt-in sounds preferable. I find Michal's approach more elegant, but am
not overly opposed to the second either.

Received on Friday, 10 January 2014 09:13:55 UTC