Skip to content

Instantly share code, notes, and snippets.

@dckc
Last active August 29, 2020 14:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dckc/19bd24318fbe762ef2c388b95a28d969 to your computer and use it in GitHub Desktop.
Save dckc/19bd24318fbe762ef2c388b95a28d969 to your computer and use it in GitHub Desktop.

[9:44 AM] dckc:: SRI only works for <script> and . [9:47 AM] dckc:: <script> does seem to work within data: ... so one could construct a data: URI that uses <script> with subresource integrity to securely fetch js (which would in turn supply HTML, CSS, etc.). .. [9:47 AM] dckc:: so yes, that's technically sufficient to do secure content-addressable storage retrieval... [9:47 AM] dckc:: but the UX isn't much better than having people install a browser add-on [9:48 AM] dckc:: now a browser-add-on that would verify web pages based on on-chain info would be straightforward

rchain/RevVault.rho at dev · rchain/rchain https://github.com/rchain/rchain/blob/dev/casper/src/main/resources/RevVault.rho#L193-L196

Issues · rchain/rchain https://github.com/rchain/rchain/issues

(RNExt-01) - Event processing framework · Issue #13 · rchain/rchip-proposals rchain/rchip-proposals#13

liquid-democracy/Ballot.rho at ocap-review · rchain-community/liquid-democracy https://github.com/rchain-community/liquid-democracy/blob/ocap-review/Ballot.rho

NotaryInspector · dckc/awesome-ocap Wiki https://github.com/dckc/awesome-ocap/wiki/NotaryInspector

Content-addressable storage - Wikipedia https://en.wikipedia.org/wiki/Content-addressable_storage

Subresource Integrity | npm.io https://npm.io/search/keyword:Subresource+Integrity

Subresource Integrity - Web security | MDN https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

data: URI Generator https://dopiaza.org/tools/datauri/index.php

Data URLs - HTTP | MDN https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs

Blocking Top-Level Navigations to data URLs for Firefox 59 - Mozilla Security Blog https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/

Editing sri-test.js https://gist.github.com/dckc/19bd24318fbe762ef2c388b95a28d969/edit

Cross-Origin Read Blocking (CORB) - Chrome Platform Status https://www.chromestatus.com/feature/5629709824032768

alert('SRI test passed')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment