W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [integrity] content-addressable cache?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 6 Oct 2014 07:28:21 -0700
Message-ID: <CAPfop_3mxkq1MR3aVVuz5_cm60dxBQV4kgmHoYf=GO0vt5zkUw@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
>
> What if CSP's hash sources could be a solution to this problem? If
> the website explicitly says that it allows a script with this hash in
> its CSP policy, isn't it less likely to be fake?
>

This is great! My major concern is that this will blow up the CSP
policy to an unacceptably large value. No idea what the solution is,
unfortunately.

thanks
Dev
Received on Monday, 6 October 2014 14:29:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC