On Sat, Dec 14, 2013 at 3:41 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Some Developer wrote: > >Currently most people store their JavaScript code on a CDN of some sort. > >This often involves uploading their JavaScript files to a server hosted > and > >run by a third party which means the control and security of the server is > >out of the hands of the website owner. If the CDN is hacked or a rogue > >employee decides to edit your JavaScript you might end up serving > malicious > >JavaScript to your users without even knowing it. > > > >In order to overcome this problem I propose that a new attribute is added > >to the <script> tag which allows the website owner to specify a SHA512 > hash > >of the JavaScript file ahead of time. If when the file is downloaded from > >the CDN by the browser it does not match the SHA512 hash in the HTML the > >browser should discard the JavaScript file and display a warning to the > >user that the file has been modified and that it should be considered as > >malicious. > > You probably want to talk to <http://www.w3.org/2011/webappsec/>. > -- > Indeed, the webappsec WG is currently working on sub-resource integrity spec that covers exactly that use-case: https://rawgithub.com/w3c/webappsec/master/specs/subresourceintegrity/index.htmlReceived on Wednesday, 5 February 2014 07:06:28 UTC
This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:15 UTC