- From: Kristijan Burnik <burnik@google.com>
- Date: Thu, 30 Jul 2015 12:01:54 +0200
- To: Ahmed Saleh <ahmedzs@live.ca>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CANJwyhXFu7CtA94ifZJkz8Z1PQKor9p=jdZGzGavjiedO3pXJg@mail.gmail.com>
Hello, Sounds like an interesting idea. I'm not quite sure it would ever work the way you describe. I think it would create more problems for developers than actually protect anything. :-/ My experience is that the most important and sensitive code lives on the server (as it should) and never touches the client. Other than that, it's pretty common to obfuscate the JS code, e.g. by minifying it. In any case, as it holds for encryption, security should never be in danger from one's ability to read the source code. So how would, for example, CURL work if it reached your website? Would one be able to read your code? My point is: you would have to do these hash checks on the server-side, and the hashes would be well-known so an attacker could just inject the hash while doing the CURL in the first place... Btw, you would constantly need to update your list of hashes because you start of by white-listing, so your service would be inaccessible to some clients if you miss out on any relevant signatures... This is also hard to test, unless you have a nice farm of browsers in your test infrastructure. Sounds expensive to me... :-/ Did you have a chance to read about subresource integrity [1]? [1] http://www.w3.org/TR/SRI/ On Tue, Jul 28, 2015 at 2:53 AM, Ahmed Saleh <ahmedzs@live.ca> wrote: > Hi Sir/Madam, > Due to the public exposed nature of JavaScript and HTML code to browsers > and clients, it’s not protected from people who can steal or manipulate the > responded code from servers. Therefore, I have suggestion solve this > situation. We can make all known browsers to have a specific signature > (Hash) and a website would only work for a list of given signatures which > represent all known browsers. > So on my website I can check for the current browser that’s trying to > connect with me as a server and decide if it’s valid based on its signature > and continue the connection if the signature is found in my data list(of > browsers[name&version]-signature/hash key-value pairs) or not if invalid > and the signature is not found in my list of signature of all known > browsers and terminate the connection. The browsers on the other > hand, could respond to meta tags on my website such as <meta immutable> > which prevents websites from being mutated by plugins, and <meta protected> > which protects source code from view. > Thank you, > -- *Kristijan Burnik* Software Engineering Intern burnik@google.com Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Graham Law, Christine Elizabeth Flores Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Received on Thursday, 30 July 2015 10:04:18 UTC