- From: Sandeep Kamble <sandeepk.l337@gmail.com>
- Date: Fri, 10 Jan 2014 17:27:54 +0530
- To: Mike West <mkwst@google.com>
- Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Pete Freitag <pete@foundeo.com>
- Message-ID: <CALq7B37eAeWE=71aejzYX--XVAf8qSyQ8cdK5FXRegwu0oOL=A@mail.gmail.com>
nice , <script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=text/javascript *&o=**"> <script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=text/javascript*&o=ajax.googleapis.com <http://ajax.googleapis.com>+cdnjs.cloudflare.com <http://cdnjs.cloudflare.com>+code.jquery.com <http://code.jquery.com>*"> Okay here come one stupid question. What does the integrity attribute do? On Fri, Jan 10, 2014 at 2:48 PM, Mike West <mkwst@google.com> wrote: > I think the nonce makes it clear that the script tag was added by the > author, rather than maliciously injected. That should give us enough trust > in the author's intent to bypass the origin check, assuming the integrity > check hits the cache. > > The risk there would be that an attacker could inject an integrity > attribute into a script tag. I think that's unlikely enough for us to > consider the risk minimal. > > I also like Michal's approach, but I'm very worried about bloating the CSP > header to the point where it outweighs the content it's protecting. Chrome > has some sort of reasonable limit on header size (I have 16k in my head, > but I've no idea if that's accurate)... how soon will we be hitting that? :) > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > > On Fri, Jan 10, 2014 at 10:13 AM, Frederik Braun <fbraun@mozilla.com>wrote: > >> On 10.01.2014 10:01, Mike West wrote: >> > .. >> > 3. A manual opt-in solution might be reasonable, however. One of the >> > following approaches might make sense: >> > >> > 1. We could add an 'unsafe-integrity' source expression to CSP's >> > grammar. >> > 2. We could look at the integrity-based cache only if a nonce was >> > applied to the script. >> > 3. We could take Michal's approach, and whitelist external hashes. >> > 4. Moar ideas? >> > >> > WDYT? >> > >> >> Opt-in sounds preferable. I find Michal's approach more elegant, but am >> not overly opposed to the second either. >> >> >
Received on Friday, 10 January 2014 16:38:13 UTC