> We're talingk about a two attacks on two applications that need to occur for > all of this to work. That is, if I just compromise example.com, all I can do > is modify foo.js, which the integrity check blocks. If I compromise the > client app (let's call it bar.com) with an XSS, I can inject an > integrity-less link to foo.js... but that's only concerning if I *also* > compromised example.com. Exactly! Lets first get to a world where you need two attacks, then we can worry about how to help against the two attacks. Right now, we are not even sure if something like SRI is practical on the web. -devReceived on Wednesday, 29 October 2014 17:15:03 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC