W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Pete Freitag <pete@foundeo.com>
Date: Fri, 10 Jan 2014 12:46:30 -0500
Message-ID: <CAADZ8V714jxAcyDFpYU5M2L81EXxKjm9y9u6oBY7QXA05z7FRA@mail.gmail.com>
To: Ben Toews <btoews@github.com>
Cc: Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote:

> It doesn’t seem like you would need to provide the nonce in style.css
> because the integrity hash of cat.gif is already incorporated into the
> integrity hash of style.css.
>

I agree it is probably not a problem for CSS because all of the resources
it will load are explicitly defined and hashed. I'm just not sure about
resources loaded dynamically from a script - what do you guys think?
Received on Friday, 10 January 2014 17:47:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC