Re: [SRI] Shared Cache through `sharedcache` attribute

As for CSP; scripts with sharedcache="true" should be treated equally as
inline scripts.

Because
 - We should assume that an attacker is able to add arbitrary assets to the
shared cache (e.g. via a website he owns)
 - Therefore setting the integrity attribute while sharedcache="true", is
equivalent to setting the content of the script to the source of the asset,
i.e. is equivalent to inline scripting

(this is a copy of a comment of
https://github.com/w3c/webappsec/issues/504 because
I don't know whether the mailing list or the GitHub repository supersedes)

Received on Monday, 21 December 2015 23:48:12 UTC