Regular XSS targets one site at a time. Hack GA and you instantly own 80% of Alexa top 1M.
SRI is enough if you trust the place you're loading JS from. Otherwise, don't load the JS.
-
-
How about GA demanding SRI?
-
Or maybe scripts can't inject script tags with hash attributes?
-
If so we should come up with a way for script sources to request then demand SRI in two steps.
-
What would this protect against? An evil JS provider could just not opt into any checks.
-
But providers with great power could lower the aggregate risk on the web.
End of conversation
New conversation -
-
-
strongly disagree. Happy to discuss in person tomorrow.140 chars are not enough.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.