- From: Francois Marier <francois@mozilla.com>
- Date: Thu, 17 Sep 2015 09:17:58 -0700
- To: public-webappsec@w3.org
On 17/09/15 01:10 AM, Frederik Braun wrote: > On 17.09.2015 02:26, Conrad Irwin wrote: >> If you remove the link element and re-add it in javascript, will that >> cause another request? >> >> If so a malicious person could detect whether this is the first load of >> the stylesheet or the second, and serve different content both times. > > That's a good point. But is it going to reuse the same data structure if > the same URL returns a different resource? I was hoping not. If it causes another network request (or a request to the HTTP cache) then we'll check SRI on it. It's only when we've successfully loaded a stylesheet in the same document that we skip the network load and by extension any further SRI checks. Francois
Received on Thursday, 17 September 2015 16:18:31 UTC