- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 6 Oct 2014 11:15:58 +0200
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 6, 2014 at 10:53 AM, Frederik Braun <fbraun@mozilla.com> wrote: > My colleague Mark Goodwin came up with this: > > What if CSP's hash sources could be a solution to this problem? If > the website explicitly says that it allows a script with this hash in > its CSP policy, isn't it less likely to be fake? > > What do you think? Seems that if you could inject a hash there, you could have script injected either way. So seems likely that would be safe. But does that mean we'd require CSP to make use of this bit of SRI or that if CSP is enabled you need to do this? -- https://annevankesteren.nl/
Received on Monday, 6 October 2014 09:16:25 UTC