Re: Security use cases for packaging

2015-01-30 Thread Daniel Kahn Gillmor
On Fri 2015-01-30 01:50:43 -0500, Yan Zhu wrote: Say that resource Y is a javascript file that listens for users typing in password fields and shows them a warning if the password is weak. The user verifies and loads the HTML page that includes Y but an attacker then blocks the request to

Re: Security use cases for packaging

2015-01-29 Thread Daniel Kahn Gillmor
On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote: A signed manifest-like package description that lists the hash and location of every resource seems fine as long as all the resources are downloaded and verified before running the app. Perhaps this kills some of the performance benefits