Re: Subresource Integrity strawman. from Mike West on 2014-01-08 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jan 2014 19:48:10 +0100
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>, Brad Hill <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>, Tab Atkins <tabatkins@google.com>, Ilya Grigorik <igrigorik@google.com>
Message-ID: <CAKXHy=dKff99dVsN=ZNBQqL18pCkJhD64eA4uu-AkzyKAbXv+w@mail.gmail.com>

On Wed, Jan 8, 2014 at 5:38 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> The possibility of examining the contents of cross-origin documents by
> attempting to load them with different known hashes and then
> triggering the reporting behavior (or noticing that navigation in an
> <iframe> has not taken place) seems like a fairly significant issue,
> right? It feels that it would make it considerably easier to
> fingerprint user state across a large number of sites, compared to
> previously demonstrated approaches.
>

If a website always returns a known value for a resource for logged-in
users, then yes, this feature would make it pretty trivial to determine
whether or not that resource was exactly X. That's unfortunately exactly
the same scenario as one in which a resource is being legitimately
requested. I'm open to ways of mitigating this sort of attack; the only
real mitigation I can come up with (no events, no reports for cross-origin
or CORSless resources) works well enough that it entirely breaks the
reporting feature, and still leaves side channels
(`naturalHeight`/`naturalWidth` for an image, for instance).

This concern is noted in section 6.3 as a consideration. I'd agree with
your implication that it's potentially a deal-breaker, but I'm hopeful that
we'll either decide that it isn't, or find a clever mitigation mechanism.

> What would be the behavior of clicking on a non-download link with the
> integrity parameter specified? What would happen if this link is
> opened in a new window? It seems that it may be difficult to behave
> consistently in this case (e.g., how to handle right-click + "open in
> an incognito window" in Chrome?).
>

The intent is for nothing interesting to happen if the resource isn't being
treated as a download. Hopefully the text as written means that nothing
interesting happens. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 8 January 2014 18:48:59 UTC