On Thu, Jan 29, 2015 at 10:50 PM, Yan Zhu y...@yahoo-inc.com wrote:
Say that resource Y is a javascript file that listens for users typing in
password fields and shows them a warning if the password is weak. The user
verifies and loads the HTML page that includes Y but an attacker then
But other code from the same origin might not be signed, which could
break the security assertion of code signing.
The unit of signing should be the same as the unit of isolation, i.e.
the origin. Or, the origin should be expanded to include a 4th
element, the signing key(s). I don't know how to
