W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2013

Re: [whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 14 Dec 2013 15:41:40 +0100
To: Some Developer <someukdeveloper@gmail.com>
Message-ID: <dfroa9psv09hlq04cgctjg5ki3ufsgm383@hive.bjoern.hoehrmann.de>
Cc: whatwg@whatwg.org
* Some Developer wrote:
>Currently most people store their JavaScript code on a CDN of some sort.
>This often involves uploading their JavaScript files to a server hosted and
>run by a third party which means the control and security of the server is
>out of the hands of the website owner. If the CDN is hacked or a rogue
>employee decides to edit your JavaScript you might end up serving malicious
>JavaScript to your users without even knowing it.
>
>In order to overcome this problem I propose that a new attribute is added
>to the <script> tag which allows the website owner to specify a SHA512 hash
>of the JavaScript file ahead of time. If when the file is downloaded from
>the CDN by the browser it does not match the SHA512 hash in the HTML the
>browser should discard the JavaScript file and display a warning to the
>user that the file has been modified and that it should be considered as
>malicious.

You probably want to talk to <http://www.w3.org/2011/webappsec/>.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 14 December 2013 14:42:09 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:14 UTC