- From: Gregg Kellogg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 07 Sep 2021 19:46:19 +0000
- To: public-shex-dev@w3.org
gkellogg has just created a new issue for https://github.com/shexSpec/spec: == Import vulnerabilities == The import feature creates vulnerabilities similar to the JSON-LD remote context loading. In the case of JSON-LD, the document loader provides a means of avoiding accessing remote resources, although it's still come under a fair amount of criticism (See https://github.com/w3c/json-ld-syntax/issues/108 and https://github.com/w3c/json-ld-api/issues/14 for example). * A man-in-the middle attack could cause different systems to receive different documents at different times. * Accessing the remote resource presents an opportunity to track usage and leak intention. * Routinely accessing remote resources can place a burden on the host (e.g., schema.org) * There is no facility for embedded use to avoid the remote lookup. * A malicious service can cause a stack-overflow by automatically creating nested documents. The spec should address this concern and/or provide mitigations. One area that JSON-LD may pursue in the future is the use of integrity checks (ala https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). Please view or discuss this issue at https://github.com/shexSpec/spec/issues/43 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 7 September 2021 19:46:21 UTC