Re: [integrity] content-addressable cache? from Devdatta Akhawe on 2014-10-06 (public-webappsec@w3.org from October 2014)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 6 Oct 2014 07:28:21 -0700
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_3mxkq1MR3aVVuz5_cm60dxBQV4kgmHoYf=GO0vt5zkUw@mail.gmail.com>

>
> What if CSP's hash sources could be a solution to this problem? If
> the website explicitly says that it allows a script with this hash in
> its CSP policy, isn't it less likely to be fake?
>

This is great! My major concern is that this will blow up the CSP
policy to an unacceptably large value. No idea what the solution is,
unfortunately.

thanks
Dev

Received on Monday, 6 October 2014 14:29:08 UTC