[CSP] Consistency of CSP hash-source with SRI regarding secure origins from Brian Smith on 2014-11-06 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 19:03:07 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt7r18XiD2U9tz-F6xPhg_NHjDwhePKExEtMg+5SBQKn8A@mail.gmail.com>

I have two questions regarding CSP hash, particularly for the people that
are concerned about the use of SRI for non-secure content:

1. What distinction, if any, should be made between the policy for CSP
hash-source vs. SRI for non-secure origins? Does Google Chrome implement
CSP hash-source for non-secure documents? Is the implemented behavior
intentional or accidental? Will it change?

2. Does anybody have any implementation experience to report, regarding the
use of CSP hash-source on non-secure origins? In particular, have people
found middleboxes tampering with their <script> elements in a way that
causes CSP violations due to hash-source?

It seems to me that SRI and CSP hash-source are quite similar to each
other, so it seems reasonable to have the same policy for both, regarding
the secure origins thing.

Thanks,
Brian

Received on Thursday, 6 November 2014 03:03:34 UTC