W3C home > Mailing lists > Public > public-privacy@w3.org > April to June 2015

Re: subresource integrity (was Re: PING call)

From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Date: Tue, 19 May 2015 12:10:40 +0800
To: Nicholas Doty <npdoty@ischool.berkeley.edu>
CC: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <D180D661.9DED%kepeng.lkp@alibaba-inc.com>
>For example, cross-origin data leakage is one of the considerations there.

OK, I got it. If there is data leakage, it will also cause privacy issues.

Maybe we can change the sentence a little bit to reflect this:

5.3 Cross-origin data leakage
Attackers can determine whether some cross-origin resource has certain
content by attempting to load it with a known digest, and watching for load
failures. If the load fails, the attacker can surmise that the resource
didn’t match the hash, and thereby gain some insight into its contents. This
might reveal user privacy, for example, whether or not a user is logged into
a particular service.


Kind Regards

Kepeng Li
Alibaba Group

发件人:  Nicholas Doty <npdoty@ischool.berkeley.edu>
日期:  Tuesday, 19 May, 2015 9:40 am
至:  Li Kepeng <kepeng.lkp@alibaba-inc.com>
抄送:  "public-privacy (W3C mailing list)" <public-privacy@w3.org>
主题:  subresource integrity (was Re: PING call)

On May 18, 2015, at 5:20 AM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote:
>> 2. Privacy review request from Web Applications Security WG concerning
>> Subresource Integrity [1]
> It seems that there are no privacy considerations in this document.
> Should we add something?

There is a Security Considerations section that is likely relevant to the
things we typically review:


For example, cross-origin data leakage is one of the considerations there. I
wonder if authors should typically write these as "Security and Privacy
Considerations" since they so often overlap.

Received on Tuesday, 19 May 2015 04:11:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:29 UTC