undefined | Better HN

0 pointsvalenterry1y ago0 comments

But that doesn't make it easy to integrate a new script from an author who doesn't provide the hash already.

0 comments

Vendor your dependencies. It’s better for you as a maintainer anyway, since caching only works[0] with first party domains with any reliability.

And once you vendor your dependencies you can calculate the hash yourself

[0]: there are caveats to this

TZubiri1y ago

How would third party distribution like a cdn affect hashing?

I think https and integrity hashes address two very orthogonal attack vectors.

0xCMP1y ago

Because if you're not getting the real benefit (improved response times due to caching) you can stop worrying about hashing it properly or not and simply serve a copy you know to be good (or at least known and probably version controlled). Now you don't need to hash or know which hash is correct or worry about the user getting served the wrong file because someone else got hacked.

1 more reply

no_wizard1y ago

It’s about control foremost. If you vendor your dependencies you know what you’re serving and can calculate the hash and use it in your CSP, and provides more stability for versioning.

Plus, as mentioned, only 1st party origins enjoy any benefits of caching content for faster load times so you get an additional benefit

TZubiri1y ago

But you can .. get the hash yourself?

wget url; sha256 file

valenterryOP1y ago

Of course you can. But when it comes to security, one thing is very important in practice: making the secure way of doing things as easy as possible.

So, why did you not actually post the correct shell script? Apparently that would have been more effort to get right and ensure is correct right? And also work for every OS. And there you have it: if someone first has to figure out which script to run, some percentage will give up here. And that's my point: the browser should make it as easy as possible to avoid that from happening.

account421y ago

Cool. Now your site will break if the upstream pushes a fix while you're on vacation.

j / k navigate · click thread line to collapse

0 comments

no_wizard1y ago

Vendor your dependencies. It’s better for you as a maintainer anyway, since caching only works[0] with first party domains with any reliability.

And once you vendor your dependencies you can calculate the hash yourself

[0]: there are caveats to this

TZubiri1y ago

How would third party distribution like a cdn affect hashing?

I think https and integrity hashes address two very orthogonal attack vectors.

0xCMP1y ago

1 more reply

no_wizard1y ago

It’s about control foremost. If you vendor your dependencies you know what you’re serving and can calculate the hash and use it in your CSP, and provides more stability for versioning.

Plus, as mentioned, only 1st party origins enjoy any benefits of caching content for faster load times so you get an additional benefit

TZubiri1y ago

But you can .. get the hash yourself?

wget url; sha256 file

valenterryOP1y ago

Of course you can. But when it comes to security, one thing is very important in practice: making the secure way of doing things as easy as possible.

account421y ago

Cool. Now your site will break if the upstream pushes a fix while you're on vacation.

j / k navigate · click thread line to collapse