[whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag
Bjoern Hoehrmann
derhoermi at gmx.net
Sat Dec 14 06:41:40 PST 2013
* Some Developer wrote:
>Currently most people store their JavaScript code on a CDN of some sort.
>This often involves uploading their JavaScript files to a server hosted and
>run by a third party which means the control and security of the server is
>out of the hands of the website owner. If the CDN is hacked or a rogue
>employee decides to edit your JavaScript you might end up serving malicious
>JavaScript to your users without even knowing it.
>
>In order to overcome this problem I propose that a new attribute is added
>to the <script> tag which allows the website owner to specify a SHA512 hash
>of the JavaScript file ahead of time. If when the file is downloaded from
>the CDN by the browser it does not match the SHA512 hash in the HTML the
>browser should discard the JavaScript file and display a warning to the
>user that the file has been modified and that it should be considered as
>malicious.
You probably want to talk to <http://www.w3.org/2011/webappsec/>.
--
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
More information about the whatwg
mailing list