W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] Consistency of CSP hash-source with SRI regarding secure origins

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 19:03:07 -0800
Message-ID: <CAFewVt7r18XiD2U9tz-F6xPhg_NHjDwhePKExEtMg+5SBQKn8A@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I have two questions regarding CSP hash, particularly for the people that
are concerned about the use of SRI for non-secure content:

1. What distinction, if any, should be made between the policy for CSP
hash-source vs. SRI for non-secure origins? Does Google Chrome implement
CSP hash-source for non-secure documents? Is the implemented behavior
intentional or accidental? Will it change?

2. Does anybody have any implementation experience to report, regarding the
use of CSP hash-source on non-secure origins? In particular, have people
found middleboxes tampering with their <script> elements in a way that
causes CSP violations due to hash-source?

It seems to me that SRI and CSP hash-source are quite similar to each
other, so it seems reasonable to have the same policy for both, regarding
the secure origins thing.

Thanks,
Brian
Received on Thursday, 6 November 2014 03:03:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC