W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] Browser Bundled Javascript Repository

From: Aaron Boodman <aa@google.com>
Date: Mon, 15 Jun 2009 19:59:16 -0700
Message-ID: <278fd46c0906151959n2b61a136qf9930a78032329ea@mail.gmail.com>
2009/6/15 Ian Fette (????????) <ifette at google.com>:
> In the event of a collision there would be huge issues - imagine running
> someone else's script in your application. Basically XSS - someone could
> take over your app, steal passwords, do bank transactions on your behalf,
> etc.
> Collisions are made easier in plain text than in certs given that your input
> is not constrained.

I think the idea was for browser vendors to select and include these
libraries in the browser. So there isn't an obvious (to me) way for an
attacker to use hash collisions to create an XSS.

That said, I don't think content hashes are the right identifier.
Using a sha-1 of a specific jquery version would prevent anyone from
ever fixing critical bugs in it. There's be all this legacy content
out there referring to an outdated version.

- a
Received on Monday, 15 June 2009 19:59:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:13 UTC