W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2014

Re: [whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag

From: Yoav Weiss <yoav@yoav.ws>
Date: Wed, 5 Feb 2014 08:06:03 +0100
Message-ID: <CACj=BEhNRRcM2DBnF+c3u54dONtzyrP6RRaYNd1z1TtJU-J-4A@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Some Developer <someukdeveloper@gmail.com>, WHATWG <whatwg@whatwg.org>
On Sat, Dec 14, 2013 at 3:41 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Some Developer wrote:
> >Currently most people store their JavaScript code on a CDN of some sort.
> >This often involves uploading their JavaScript files to a server hosted
> and
> >run by a third party which means the control and security of the server is
> >out of the hands of the website owner. If the CDN is hacked or a rogue
> >employee decides to edit your JavaScript you might end up serving
> malicious
> >JavaScript to your users without even knowing it.
> >
> >In order to overcome this problem I propose that a new attribute is added
> >to the <script> tag which allows the website owner to specify a SHA512
> hash
> >of the JavaScript file ahead of time. If when the file is downloaded from
> >the CDN by the browser it does not match the SHA512 hash in the HTML the
> >browser should discard the JavaScript file and display a warning to the
> >user that the file has been modified and that it should be considered as
> >malicious.
>
> You probably want to talk to <http://www.w3.org/2011/webappsec/>.
> --
>

Indeed, the webappsec WG is currently working on sub-resource integrity
spec that covers exactly that use-case:
https://rawgithub.com/w3c/webappsec/master/specs/subresourceintegrity/index.html
Received on Wednesday, 5 February 2014 07:06:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:15 UTC