User: Password:
Subscribe / Log in / New account

why not sha checksum?

why not sha checksum?

Posted Jul 2, 2009 23:20 UTC (Thu) by socket (subscriber, #43)
In reply to: why not sha checksum? by ccyoung
Parent article: Mozilla's Content Security Policy

Think about this some. What are you taking the SHA sum of? The content of the page, of course. Say, for example, that the page in question is contains a number of user-entered comments, like this one on LWN you're reading. Those comments were probably stored in a database - a script pulls them out, and inserts them into the appropriate places of the page.

Your checksum won't tell you whether there's references to javascript in the content that's been sent to your browser. If the server didn't filter them properly, and your browser just does as its told (without giving you control over whether it should treat any individual portion as code or data) then your SHA sum will tell you that yes, indeed, the malicious code was malicious before it went into the comment system in the first place.

(Log in to post comments)

not following

Posted Jul 2, 2009 23:44 UTC (Thu) by ccyoung (guest, #16340) [Link]

yes, sha1 hash needs to be of page including "data" (guess this would hash everything but the header itself?).

no javascript execute before hash completed (perhaps hash for head and one for body might speed things up).

is this impossible to do?

not following

Posted Jul 3, 2009 1:00 UTC (Fri) by socket (subscriber, #43) [Link]

No, taking a hash of any page is very easy to do. It simply doesn't do anything to solve this problem.

Suppose you're in charge of a city with a high rate of criminals breaking into people's houses. Your solution basically amounts to renaming the house numbers on every street, in the hopes that that will prevent criminals from finding houses to break into -- nevermind that they're already on the street in front of the physical buildings.

By the time the nefarious content has reached the browser, if the browser just goes on its merry way interpreting any javascript it's been sent, it doesn't matter much what else the server says to the client. If someone managed to insert javascript code into their comment, and submit it to the server so it'll show up in another user's browser, the TV's already on the sidewalk.

What the Mozilla proposal basically amounts to is making the browser not just interpret any random javascript it's been sent, but letting the website authors say, "Javascript that comes from here (the site's trusted javascript), go ahead an run - but ignore any other javascript, or triggers for it, you see on the web page."

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds