Does the Web need HTML/JS code signing?

1 pointserastothenes12y ago2 comments

As pure HTML/JS web apps begin to encroach on the turf of native applications, they will inevitably face some of the same security problems that native apps once faced. One of these issues is trusted code delivery. This has traditionally been addressed with code signing, yet it is not currently possible to sign an HTML/JS single-page app in the way that an iPhone app or a browser extension can be signed. Do browsers need a new method for HTML/JS code verification?

2 comments

TheHydroImpulse12y ago

No. Web pages are sandboxed and thus have limited control to the computer and operating system compared to native apps.

erastothenesOP12y ago

Yet web page code can certainly be modified to perform malicious actions; XSS is a rampant example. More and more Javascript applications handle information that is of high value to users - passwords, private journals, financial information, etc. Code signing can protect users against an attacker who tampers with the architecture that handles this sensitive information.

j / k navigate · click thread line to collapse

Does the Web need HTML/JS code signing?

1 pointserastothenes12y ago2 comments

2 comments

TheHydroImpulse12y ago

No. Web pages are sandboxed and thus have limited control to the computer and operating system compared to native apps.

erastothenesOP12y ago

j / k navigate · click thread line to collapse