[whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag
Yoav Weiss
yoav at yoav.ws
Tue Feb 4 23:06:03 PST 2014
On Sat, Dec 14, 2013 at 3:41 PM, Bjoern Hoehrmann <derhoermi at gmx.net> wrote:
> * Some Developer wrote:
> >Currently most people store their JavaScript code on a CDN of some sort.
> >This often involves uploading their JavaScript files to a server hosted
> and
> >run by a third party which means the control and security of the server is
> >out of the hands of the website owner. If the CDN is hacked or a rogue
> >employee decides to edit your JavaScript you might end up serving
> malicious
> >JavaScript to your users without even knowing it.
> >
> >In order to overcome this problem I propose that a new attribute is added
> >to the <script> tag which allows the website owner to specify a SHA512
> hash
> >of the JavaScript file ahead of time. If when the file is downloaded from
> >the CDN by the browser it does not match the SHA512 hash in the HTML the
> >browser should discard the JavaScript file and display a warning to the
> >user that the file has been modified and that it should be considered as
> >malicious.
>
> You probably want to talk to <http://www.w3.org/2011/webappsec/>.
> --
>
Indeed, the webappsec WG is currently working on sub-resource integrity
spec that covers exactly that use-case:
https://rawgithub.com/w3c/webappsec/master/specs/subresourceintegrity/index.html
More information about the whatwg
mailing list