undefined | Better HN

0 pointsanglebracket12y ago0 comments

> Perhaps it's about time we had a way to specify the hash of <script> source inline so browsers can serve files from cache even if they are from different origins

A spec for just that was recently proposed[0], it even has support for a "canonical" script to be used in the event of that the hash check fails.

The good news is a polyfill for this can probably be created today. If CDNs serve their JS with the proper CORS headers, you can request the JS with cross-domain XHR and check it against a hash before eval()ing the script.

The bad news is that the polyfill would require you to allow `unsafe-eval` if you use Content-Security-Policy headers. Depending on your security model, it'd probably be best to host all your resources yourself. Not to mention that using a hash function written in javascript might negate any performance gains.

[0]: http://w3c.github.io/webappsec/specs/subresourceintegrity/

0 comments

2 comments · 1 top-level

nly12y ago· 1 in thread

I see no reason to implement any of that in Javascript

anglebracketOP12y ago

The polyfill would need to be in javascript, this is just a candidate spec and isn't actually implemented anywhere yet. Obviously it wouldn't be needed if it was implemented natively. I'm just not sure if it makes any sense to, performance-wise.

j / k navigate · click thread line to collapse