W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

[integrity] Downloads

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 16 Jan 2014 11:28:31 -0800
Message-ID: <CALx_OUCDjD4S1qc4yiryiP5kxY3gr-hpC6q-ru1+u-VTPovHJg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The spec currently says that integrity checks are performed both if
the "download" attribute is used, and if a download is triggered by
Content-Disposition.

However, the latter would not be meaningful: if the destination site
goes rogue, it could initially return a minimalistic HTML document
that is not served with Content-Disposition: attachment, but then
performs an instant <meta> or JS redirect to an evil binary.

In this case, the integrity attribute will be ignored and the
navigation to the evil HTML document will take place, with a download
commencing immediately thereafter; and the end result would be
practically indistinguishable from a successful integrity check.

I think the only way to make integrity work on <a> is to require the
download attribute. Further, because incorrect uses would be otherwise
hard to spot, I would suggest specifying that <a integrity=...> with
no 'download' specified should fail unconditionally.

/mz
Received on Thursday, 16 January 2014 19:29:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC