Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explain how RIC should interact with integrity protections #31

Open
simon-friedberger opened this issue Sep 13, 2024 · 2 comments
Open

Explain how RIC should interact with integrity protections #31

simon-friedberger opened this issue Sep 13, 2024 · 2 comments

Comments

@simon-friedberger
Copy link

Assuming that a website is adding SRI to all its JS files to make sure only the right JS runs, RIC should not be able to circumvent that and suddenly add another script.

(I considered merging this into #16 but decided it deserves its own issue.)
@weizman
Copy link
Collaborator

weizman commented Sep 16, 2024

Scenario:

  • Headers: Content-Security-Policy: realm-init: /ric.js
  • ric.js: document.write("<script src="code.js"></script>")

Just to clarify - do you mean ric.js should obey SRI, or should only scripts it brings and executes (such as code.js) obey SRI?

@weizman
Copy link
Collaborator

weizman commented Sep 18, 2024

This issue will be affected by #10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weizman @simon-friedberger