ISSUE-36: hash as a source expression for csp 1.1
hash as a source expression for csp 1.1
- State:
- CLOSED
- Product:
- CSP Level 2
- Raised by:
- Opened on:
- 2012-11-02
- Description:
- trying a fetch of remote content before checking the hash may have undesirable CSRF-like effects, so the group believes that a hash source expression should only apply to inline resources - for remote resources it should be combined with future work on sub-resource integrity
name/scheme of this source expression should probably be something like inline-hash to be clear? - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
would this just apply to inline content or potentially also to remote content?
Brad Hill, 25 Apr 2013, 18:41:26This is in 1.1, does not apply to remote content.
Mike West, 10 Feb 2014, 13:20:56Display change log