- From: Romuald Brillout <w3c@brillout.com>
- Date: Tue, 22 Dec 2015 00:47:44 +0100
- To: public-webappsec@w3.org
Received on Monday, 21 December 2015 23:48:12 UTC
As for CSP; scripts with sharedcache="true" should be treated equally as inline scripts. Because - We should assume that an attacker is able to add arbitrary assets to the shared cache (e.g. via a website he owns) - Therefore setting the integrity attribute while sharedcache="true", is equivalent to setting the content of the script to the source of the asset, i.e. is equivalent to inline scripting (this is a copy of a comment of https://github.com/w3c/webappsec/issues/504 because I don't know whether the mailing list or the GitHub repository supersedes)
Received on Monday, 21 December 2015 23:48:12 UTC