W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [integrity] content-addressable cache?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 6 Oct 2014 11:15:58 +0200
Message-ID: <CADnb78jSDi4ciih8+EtC+3OwQ5ZwHiuPR-LOo-erCA-+WYvqSg@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 6, 2014 at 10:53 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> My colleague Mark Goodwin came up with this:
> What if CSP's hash sources could be a solution to this problem? If
> the website explicitly says that it allows a script with this hash in
> its CSP policy, isn't it less likely to be fake?
> What do you think?

Seems that if you could inject a hash there, you could have script
injected either way. So seems likely that would be safe. But does that
mean we'd require CSP to make use of this bit of SRI or that if CSP is
enabled you need to do this?

Received on Monday, 6 October 2014 09:16:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC