But this calculation is client-side. If the attacker has full access to client-side scripts, they can easily ajax in the server-script, run an md5 on it and return that (while what's actually executing on the browser is the compromised script).
On Thursday, January 2, 2014 9:33:06 AM UTC-8, Sander Elias wrote: > > Hi Daniel, > > It enables you to calculate an md5 hash for your script, and compare that > with the server. that way, you know pretty sure your script is not altered. > If you demand the checksum on the server, before giving out any data, you > can be fairly sure that the scripts are not altered. > However, it's pretty complex to get this system waterproof! > And, if your not on https it has no extra safety whatsoever! > > Regards > Sander > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/groups/opt_out.
