Comments on Subresource Integrity from Anne van Kesteren on 2014-01-11 (public-webappsec@w3.org from January 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 11 Jan 2014 15:06:08 +0000
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78h=ZrouRf-Bx_+=sce1=aB02im+ZTdtf+nUjAEf4fxZ+Q@mail.gmail.com>

I looked at yesterday's draft of
http://w3c.github.io/webappsec/specs/subresourceintegrity/

The introduction starts off a little weird. Maybe swap the first two sentences?

ni URL scheme. Is this expected to be parsed and handled by browsers?
Because then we need a definition layered on top of
http://url.spec.whatwg.org/ I think.

The eligibility check in 3.3.2 seems to check for CORS twice. A
resource is "CORS same-origin" if a CORS check for it passes.
(Terminology here is still a bit in flux due to the rewrite in Fetch.)
Step 4 of that algorithm could use some explanation as to why it is
done. It seems somewhat dodgy.

In 3.3.3 you want to talk about resource's URL's scheme, not just its scheme.

Why do we make integrity a global attribute while other fetch-related
attributes are always local? That does not make much sense to me.

For the <iframe> element I don't understand why we'd delay rendering
if the policy is not block.

For CSS I think we want something like integrity-url(), but maybe CSS
should have a more generic mechanism as I suspect we want to be able
to control more there in the long term. E.g. CORS, whether Referer is
emitted, whether cookies are included, etc. So maybe we should have
url() and fetch() where fetch() allows for metadata.

For XMLHttpRequest should we not put if statements around dispatching
progress events and such if the policy is block? Seems somewhat weird
for that API to be different from the others.

You argue that the MIME type "SHOULD be provided" but then in the
examples in 1.2 you never do that. Also, given that you only check
whether the MIME type specified by the integrity attribute matches
that specified by the server, you are not actually protecting the
numerous contexts where we end up sniffing the resource. E.g. <img>
only looks for image/svg+xml, <script> never looks at the MIME type,
etc. If you want this MIME type thing to be meaningful you got to dive
into the http://mimesniff.spec.whatwg.org/ rabbit hole I think.

Finally, I'm having a hard time writing integrity, isn't there some
easier-to-spell word we can use? hash is still free I think.


-- 
http://annevankesteren.nl/

Received on Saturday, 11 January 2014 15:06:35 UTC