> Seems that if you could inject a hash there, you could have script > injected either way. So seems likely that would be safe. But does that > mean we'd require CSP to make use of this bit of SRI or that if CSP is > enabled you need to do this? I think you wouldn't require CSP for cases where CSP is not enabled since injection (without CSP) can already result in an equivalent attack (i.e. you can XSS).Received on Monday, 6 October 2014 13:17:15 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC