Let's say my /auth endpoint wants to validate that the JS calling that endpoint is signed with a key I own.
I suspect this would take browser cooperation and does not exist?
Conversation
Replying to
Trying to understand what problem you're trying to solve with signing the js that calls your endpoints
1
2
Replying to
I was thinking about if an attacker owned your CDN but I don't have a well defined threat model at this point. More just brainstorming.
1
couldn't they just infect other code besides the code that calls the /auth endpoint? wait for auth, then steal/use the session creds. seems like you want CSP to enforce hashes instead of origins
2
1
Firefox and Safari don't support hash-source for external scripts so it only works for inline scripts in those browsers. It prevents taking advantage of the feature in Chromium too, unlike the usual case where features like Trusted Types are simply not enforced by Firefox/Safari.
Also worth noting that hash-source depends on SRI for external scripts. It acts as a whitelist of SRI hashes rather than working independently. We added SRI for our sites despite it being near useless for us since we want to replace 'self' with hash-source when it's portable.
1
For some reason SRI only works with script/style even though it was originally presented as being useful for downloads, etc. CSP also only supports hash-source for script and not style for some reason. It's a fairly weak spot in the standards that's not properly fleshed out...