W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [integrity] content-addressable cache?

From: Mark Goodwin <mgoodwin@mozilla.com>
Date: Mon, 6 Oct 2014 03:24:45 -0700 (PDT)
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Frederik Braun <fbraun@mozilla.com>, public-webappsec@w3.org
Message-ID: <1224859335.16110923.1412591085130.JavaMail.zimbra@mozilla.com> 

> Seems that if you could inject a hash there, you could have script
> injected either way. So seems likely that would be safe. But does that
> mean we'd require CSP to make use of this bit of SRI or that if CSP is
> enabled you need to do this?

I think you wouldn't require CSP for cases where CSP is not enabled since injection (without CSP) can already result in an equivalent attack (i.e. you can XSS).
Received on Monday, 6 October 2014 13:17:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC