Re: [integrity]: Origin confusion attacks.

1. In [1], I've explicitly made caching an optional bit of the spec, by
using the magic word "OPTIONAL". Hooray for RFC 2119.

2. Also in [1], I've added the nonce bit discussed here for `script` and
`style`. The attribute isn't defined in CSP for any other elements.
Personally, I'm not sure it needs to be, but we can certainly add it if
there's demand.

[1]:
https://github.com/w3c/webappsec/commit/b0213618fc8cadd773f1f89b743451d6b743295a

On Fri, Jan 10, 2014 at 6:46 PM, Pete Freitag <pete@foundeo.com> wrote:

> On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote:
>
>> It doesn’t seem like you would need to provide the nonce in style.css
>> because the integrity hash of cat.gif is already incorporated into the
>> integrity hash of style.css.
>>
>
> I agree it is probably not a problem for CSS because all of the resources
> it will load are explicitly defined and hashed. I'm just not sure about
> resources loaded dynamically from a script - what do you guys think?
>

As Ben suggests, I think that validating the CSS file transitively
validates the resources it contains (assuming that we have agreed-upon
syntax for integrity metadata contained in CSS (see the other thread)).

-mike

Received on Thursday, 16 January 2014 14:24:02 UTC