Re: Security use cases for packaging from Daniel Kahn Gillmor on 2015-01-30 (public-webappsec@w3.org from January 2015)

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 29 Jan 2015 21:22:22 -0500
To: Yan Zhu <yzhu@yahoo-inc.com>, Ilya Grigorik <igrigorik@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Chris Palmer <palmer@google.com>, "public-webapps\@w3.org" <public-webapps@w3.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <871tmdaty9.fsf@alice.fifthhorseman.net>

On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote:
> A signed manifest-like package description that lists the hash and
> location of every resource seems fine as long as all the resources are
> downloaded and verified before running the app. Perhaps this kills
> some of the performance benefits motivating packaging in the first
> place. :(

Why would you need to fetch all the pieces before running the app?
Consider a manifest includes an integrity check covering resources X, Y,
and Z, but X is the only bit of code that runs first, and Y and Z aren't
loaded.

If you can validate the manifest, then you know you only run X if you've
verified the manifest and X's integrity.  If the user triggers an action
that requires resource Y, then you fetch it but don't use it unless it
matches the integrity check.

(i haven't developed webapps myself for ages, and the idea of a signed
webapp is relatively new to me, so feel free to explain any obvious part
that i'm missing)

        --dkg

Received on Friday, 30 January 2015 02:22:41 UTC