Re: Subresource Integrity strawman.

On Wed, Jan 8, 2014 at 5:38 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> The possibility of examining the contents of cross-origin documents by
> attempting to load them with different known hashes and then
> triggering the reporting behavior (or noticing that navigation in an
> <iframe> has not taken place) seems like a fairly significant issue,
> right? It feels that it would make it considerably easier to
> fingerprint user state across a large number of sites, compared to
> previously demonstrated approaches.
>

If a website always returns a known value for a resource for logged-in
users, then yes, this feature would make it pretty trivial to determine
whether or not that resource was exactly X. That's unfortunately exactly
the same scenario as one in which a resource is being legitimately
requested. I'm open to ways of mitigating this sort of attack; the only
real mitigation I can come up with (no events, no reports for cross-origin
or CORSless resources) works well enough that it entirely breaks the
reporting feature, and still leaves side channels
(`naturalHeight`/`naturalWidth` for an image, for instance).

This concern is noted in section 6.3 as a consideration. I'd agree with
your implication that it's potentially a deal-breaker, but I'm hopeful that
we'll either decide that it isn't, or find a clever mitigation mechanism.


> What would be the behavior of clicking on a non-download link with the
> integrity parameter specified? What would happen if this link is
> opened in a new window? It seems that it may be difficult to behave
> consistently in this case (e.g., how to handle right-click + "open in
> an incognito window" in Chrome?).
>

The intent is for nothing interesting to happen if the resource isn't being
treated as a download. Hopefully the text as written means that nothing
interesting happens. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 8 January 2014 18:48:59 UTC