| |||||||||||||
not followingnot followingPosted Jul 2, 2009 23:44 UTC (Thu) by ccyoung (guest, #16340)In reply to: why not sha checksum? by socket Parent article: Mozilla's Content Security Policy
yes, sha1 hash needs to be of page including "data" (guess this would hash everything but the header itself?).
no javascript execute before hash completed (perhaps hash for head and one for body might speed things up).
is this impossible to do?
(Log in to post comments)
not following Posted Jul 3, 2009 1:00 UTC (Fri) by socket (guest, #43) [Link] No, taking a hash of any page is very easy to do. It simply doesn't do anything to solve this problem.Suppose you're in charge of a city with a high rate of criminals breaking into people's houses. Your solution basically amounts to renaming the house numbers on every street, in the hopes that that will prevent criminals from finding houses to break into -- nevermind that they're already on the street in front of the physical buildings. By the time the nefarious content has reached the browser, if the browser just goes on its merry way interpreting any javascript it's been sent, it doesn't matter much what else the server says to the client. If someone managed to insert javascript code into their comment, and submit it to the server so it'll show up in another user's browser, the TV's already on the sidewalk. What the Mozilla proposal basically amounts to is making the browser not just interpret any random javascript it's been sent, but letting the website authors say, "Javascript that comes from here (the site's trusted javascript), go ahead an run - but ignore any other javascript, or triggers for it, you see on the web page."
|
|||||||||||||