W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Mike West <mkwst@google.com>
Date: Thu, 3 Jul 2014 15:25:28 +0200
Message-ID: <CAKXHy=cuO9wP1eYgphUhu6A=qkwsx+9PRXmHPeg3yXCJMM96gA@mail.gmail.com>
To: Adam Langley <agl@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
This is a problem with SRI generally. If you can determine that the load
failed (and you can), then you can do this without the CORS bypass.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jul 3, 2014 at 3:21 PM, Adam Langley <agl@google.com> wrote:

> On Thu, Jul 3, 2014 at 2:02 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > It seems that if you can already proof what the bits of a resource
> > are, maybe you should be able to get hold of it with all the benefits
> > of CORS. Probably given a secure enough hash algorithm. Have people
> > been thinking about this?
>
> What if I know that the resource is one of $n values and so try $n
> different loads, with different hash values, in order to find which it
> is?
>
>
> Cheers
>
> AGL
>
>
Received on Thursday, 3 July 2014 13:26:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC