If you can change out the JS payload, you can probably also swap out the HTML wh... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

diggan on Aug 16, 2018 | parent | context | favorite | on: OpenPGPjs has passed an independent security audit

If you can change out the JS payload, you can probably also swap out the HTML which supposedly "secures" it.

If the users had the option of "locking" a JS version with the Subresource Integrity attribute that they are currently using, it might help.

eli on Aug 16, 2018 [–]

Wouldn't you also need to lock down all the UI code and everything that interacts with the library?

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact