Re: [Feature Proposal] New attributes "library" and "version" on script tags from Chris on 2013-08-10 (public-html@w3.org from August 2013)

From: Chris <chris@cbojar.net>
Date: Fri, 09 Aug 2013 23:49:03 -0400
To: public-html@w3.org
Message-ID: <5205B82F.8060203@cbojar.net>

On 08/09/2013 11:32 PM, Boris Zbarsky wrote:
> On 8/9/13 11:12 PM, François REMY wrote:
>>> This is an interesting concept but something else to consider: what is
>>> to prevent someone from from "lying" about which script they are
>>> referencing?
>>>
>>> e.g. <script library="jQuery" version="1.0"
>>> src="/somethingNotjQuery.js<http://codeorigin.jquery.com/jquery-1.10.2.min.js>"></script> 
>>>
>>
>> You can't. This is why this won't happen, at least not like that.
>>
>> The only option for this would be to provides a cryptographically 
>> strong hash of the file as the version, but this prevents minor fixes 
>> (ie using 1.1 instead of 1.0 where the release only fix bugs).
>>
>> The other option is to have a server you trust and which can download 
>> the best files for you. A kind of local CDN+cache, in some way.
>
> I feel like I'm missing something...
>
> The proposal was specifically that the browser should provide a 
> built-in jQuery 1.0 in this situation, right?
>
> So if the src points to some other script, there are three possibilities:
>
> 1)  The page expects the other script and will break in a browser that 
> implements this proposal.
>
> 2)  The page expects jQuery 1.0 and will break in a browser that does 
> not implement this proposal.
>
> 3)  The page doesn't care what's loaded here at all.
>
> Ignoring #3 for the moment, "lying" will just mean the page ends up 
> broken.  The main impact of this is how willing UAs are to give pages 
> this footgun, I guess, but it doesn't seem like a fatal problem to me 
> offhand.
>
> Note that if the proposal were to download from one page but share 
> across others, _then_ lying like this would have cache-poisoning 
> issues.  But if the proposal is to just have browsers use built-in 
> versions of libraries it's not obvious to me that there is a problem 
> from the lying aspect.
>
> -Boris
>

I was going to say exactly that, but Boris beat me to it. :) If 
anything, this can provide a (albeit small) level of additional security 
against, say, the compromise of a large public CDN such as Google's 
Hosted Libraries, since it would use the trusted version shipped by the 
browser rather than a possibly compromised version. Using something like 
the lying example given, one might be able to determine the type or 
version of a browser, but there are surely much easier ways to go about 
that.

Boris is also quite right to note that this should not be used as a 
cache population mechanism, since it would make it almost trivial to 
poison that cache.

-Chris.

Received on Saturday, 10 August 2013 03:49:33 UTC