- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 29 Oct 2014 10:14:16 -0700
- To: Joel Weinberger <jww@chromium.org>
- Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, Ben Toews <btoews@github.com>, Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> We're talingk about a two attacks on two applications that need to occur for > all of this to work. That is, if I just compromise example.com, all I can do > is modify foo.js, which the integrity check blocks. If I compromise the > client app (let's call it bar.com) with an XSS, I can inject an > integrity-less link to foo.js... but that's only concerning if I *also* > compromised example.com. Exactly! Lets first get to a world where you need two attacks, then we can worry about how to help against the two attacks. Right now, we are not even sure if something like SRI is practical on the web. -dev
Received on Wednesday, 29 October 2014 17:15:03 UTC