Conversation

Let's say my /auth endpoint wants to validate that the JS calling that endpoint is signed with a key I own. I suspect this would take browser cooperation and does not exist?

Replying to

Trying to understand what problem you're trying to solve with signing the js that calls your endpoints

Replying to

I was thinking about if an attacker owned your CDN but I don't have a well defined threat model at this point. More just brainstorming.

Replying to

and

couldn't they just infect other code besides the code that calls the /auth endpoint? wait for auth, then steal/use the session creds. seems like you want CSP to enforce hashes instead of origins

Replying to

and

Oh CSP based on hash is a neat idea I hadn't considered.

Replying to

and

Firefox and Safari don't support hash-source for external scripts so it only works for inline scripts in those browsers. It prevents taking advantage of the feature in Chromium too, unlike the usual case where features like Trusted Types are simply not enforced by Firefox/Safari.

Replying to

Also worth noting that hash-source depends on SRI for external scripts. It acts as a whitelist of SRI hashes rather than working independently. We added SRI for our sites despite it being near useless for us since we want to replace 'self' with hash-source when it's portable.

9:02 AM · Jan 2, 2022Twitter Web App

Replying to

For some reason SRI only works with script/style even though it was originally presented as being useful for downloads, etc. CSP also only supports hash-source for script and not style for some reason. It's a fairly weak spot in the standards that's not properly fleshed out...