You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the WebAppSec meeting, it was suggested that the introduction of URL hashes would be confusing -- it's not immediately clear what security guarantees the hashing provides. The has is a compact representation of the URL, but beyond that, it doesn't make the policy more restrictive.
To make this more clear, it was suggested that we could prefix URL (and perhaps eval) hashes with url- (and eval-) prefixes, like so:
script-src-v2 'url-sha256-abcdef'
This has some nice properties:
Makes the policy more transparent. No need to guess if a hash is for a script content or for a URL.
No collisions between script contents and URLs. We plan to support relative URLs, and a relative URL like value?a:b is valid JavaScript. Prefixing URL hashes will prevent attacks that make use of this fact.
If we also introduce the eval- prefix, the eval related parts of the policy stand out, potentially as something to be mitigated/avoided in the future.
The obvious downside is the repetition and the slight increase in the policy size which feels like a minor issue.
On balance, I think it makes sense to drop the url-hashes keyword and add url- and eval- prefixes to the relevant hashes.
The text was updated successfully, but these errors were encountered:
During the WebAppSec meeting, it was suggested that the introduction of URL hashes would be confusing -- it's not immediately clear what security guarantees the hashing provides. The has is a compact representation of the URL, but beyond that, it doesn't make the policy more restrictive.
To make this more clear, it was suggested that we could prefix URL (and perhaps eval) hashes with url- (and eval-) prefixes, like so:
This has some nice properties:
value?a:b
is valid JavaScript. Prefixing URL hashes will prevent attacks that make use of this fact.The obvious downside is the repetition and the slight increase in the policy size which feels like a minor issue.
On balance, I think it makes sense to drop the
url-hashes
keyword and addurl-
andeval-
prefixes to the relevant hashes.The text was updated successfully, but these errors were encountered: