undefined | Better HN

0 pointsbastawhiz1y ago0 comments

1. Yes

2. Because that requires you to know how to find the hash and add it.

Truthfully the burden should be on the third party that's serving the script (where did you copy that HTML in the first place?) but they aren't incentivizes to have other sites use a hash.

0 comments

valenterry1y ago

Well, to be honest, the browsers could super easily solve that. In dev mode, just issue a warning "loaded script that has hash X but isn't statically defined. This is a huge security risk. Read more here" and that's it. Then you can just add the script, run the site, check the logs and add the hash, done.

sirl1on1y ago

You can define a CSP header to only exec 3rd Party scripts with known hashes

valenterry1y ago

But that doesn't make it easy to integrate a new script from an author who doesn't provide the hash already.

2 more replies

bastawhizOP1y ago

> In dev mode, just issue a warning "loaded script that has hash X but isn't statically defined.

How does the browser know which files to warn you about? What about scripts that are generated dynamically and have no static hash? There's plenty of reasons why you wouldn't want this.

valenterry1y ago

It just warns about all embedded non-same-origin scripts that don't have a hash.

> What about scripts that are generated dynamically and have no static hash?

Well, then the warning is still valid because this is a security risk. I guess it'd be fine to be able to suppress the warning explicitly in those cases.

> There's plenty of reasons why you wouldn't want this.

For example? Honestly curious where you would not want a warning by default.

quacksilver1y ago

I wish popular browsers would get together and release an update that says:

- After version X we are displaying a prominent popup if a script isn't loaded with a hash

- After version Y we blocking scripts loaded without hashes

They could solve this problem in a year or so, and if devs are too lazy to specify a hash when loading scripts then their site will break.

bastawhizOP1y ago

Literally every website that uses JSONP will stop working if that happened. This would break the web in fundamental ways. If we're going to break the web in fundamental ways, resource integrity is hardly among the things that I'd be interested in changing.

quacksilver1y ago

Why would people choose JSONP over CORS?

There are security risks with JSONP (a hack to bypass same-origin policy), and the successor (CORS) has been around since 2009, so phasing it out may be a good thing.

https://dev.to/benregenspan/the-state-of-jsonp-and-jsonp-vul...

account421y ago

Good. JSONP requests to a domain you don't control are a security nightmare.

TZubiri1y ago

I don't think it's just laziness. There's use cases where the libraries are designed to be updated automatically.

Also some of the tracking scripts I don't think are strictly static content, maybe their strategy to fingerprint browser involves sending different shit to different users.

quacksilver1y ago

If you are the one serving the website, then you are the one generating the hash. If you want to serve different stuff then you could dynamically generate the hash for that different stuff rather than hard code it statically.

Specifying a script hash says that you as the owner of that site agree to load the content only if it matches the hash. Presumably you trust the content enough to serve it to your users.

j / k navigate · click thread line to collapse

0 comments

valenterry1y ago

sirl1on1y ago

You can define a CSP header to only exec 3rd Party scripts with known hashes

valenterry1y ago

But that doesn't make it easy to integrate a new script from an author who doesn't provide the hash already.

2 more replies

bastawhizOP1y ago

> In dev mode, just issue a warning "loaded script that has hash X but isn't statically defined.

How does the browser know which files to warn you about? What about scripts that are generated dynamically and have no static hash? There's plenty of reasons why you wouldn't want this.

valenterry1y ago

It just warns about all embedded non-same-origin scripts that don't have a hash.

> What about scripts that are generated dynamically and have no static hash?

Well, then the warning is still valid because this is a security risk. I guess it'd be fine to be able to suppress the warning explicitly in those cases.

> There's plenty of reasons why you wouldn't want this.

For example? Honestly curious where you would not want a warning by default.

quacksilver1y ago

I wish popular browsers would get together and release an update that says:

- After version X we are displaying a prominent popup if a script isn't loaded with a hash

- After version Y we blocking scripts loaded without hashes

They could solve this problem in a year or so, and if devs are too lazy to specify a hash when loading scripts then their site will break.

bastawhizOP1y ago

quacksilver1y ago

Why would people choose JSONP over CORS?

There are security risks with JSONP (a hack to bypass same-origin policy), and the successor (CORS) has been around since 2009, so phasing it out may be a good thing.

https://dev.to/benregenspan/the-state-of-jsonp-and-jsonp-vul...

account421y ago

Good. JSONP requests to a domain you don't control are a security nightmare.

TZubiri1y ago

I don't think it's just laziness. There's use cases where the libraries are designed to be updated automatically.

Also some of the tracking scripts I don't think are strictly static content, maybe their strategy to fingerprint browser involves sending different shit to different users.

quacksilver1y ago

Specifying a script hash says that you as the owner of that site agree to load the content only if it matches the hash. Presumably you trust the content enough to serve it to your users.

j / k navigate · click thread line to collapse