On Thursday, January 29, 2015 6:25 PM, Daniel Kahn Gillmor 
<d...@fifthhorseman.net> wrote:

>On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote:
>> A signed manifest-like package description that lists the hash and
>> location of every resource seems fine as long as all the resources are
>> downloaded and verified before running the app. Perhaps this kills
>> some of the performance benefits motivating packaging in the first
>> place. :(
> Why would you need to fetch all the pieces before running the app?
> Consider a manifest includes an integrity check covering resources X, Y,
> and Z, but X is the only bit of code that runs first, and Y and Z aren't

> loaded.> If you can validate the manifest, then you know you only run X if 
> you've
> verified the manifest and X's integrity.  If the user triggers an action
> that requires resource Y, then you fetch it but don't use it unless it
> matches the integrity check.

Say that resource Y is a javascript file that listens for users typing in 
password fields and shows them a warning if the password is weak. The user 
verifies and loads the HTML page that includes Y but an attacker then blocks 
the request to fetch Y, so the user picks a weak password.

My intuition is that most developers think about the security of their app as a 
whole, not the security of their app minus any-given-subset-of-resources.

Reply via email to