Re: [integrity]: Origin confusion attacks. from Pete Freitag on 2014-01-10 (public-webappsec@w3.org from January 2014)

From: Pete Freitag <pete@foundeo.com>
Date: Fri, 10 Jan 2014 12:46:30 -0500
To: Ben Toews <btoews@github.com>
Cc: Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAADZ8V714jxAcyDFpYU5M2L81EXxKjm9y9u6oBY7QXA05z7FRA@mail.gmail.com>

On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote:

> It doesn’t seem like you would need to provide the nonce in style.css
> because the integrity hash of cat.gif is already incorporated into the
> integrity hash of style.css.
>

I agree it is probably not a problem for CSS because all of the resources
it will load are explicitly defined and hashed. I'm just not sure about
resources loaded dynamically from a script - what do you guys think?

Received on Friday, 10 January 2014 17:47:17 UTC