- From: Mark Goodwin <mgoodwin@mozilla.com>
- Date: Mon, 6 Oct 2014 03:24:45 -0700 (PDT)
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Frederik Braun <fbraun@mozilla.com>, public-webappsec@w3.org
> Seems that if you could inject a hash there, you could have script > injected either way. So seems likely that would be safe. But does that > mean we'd require CSP to make use of this bit of SRI or that if CSP is > enabled you need to do this? I think you wouldn't require CSP for cases where CSP is not enabled since injection (without CSP) can already result in an equivalent attack (i.e. you can XSS).
Received on Monday, 6 October 2014 13:17:15 UTC