W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Feedback on subresource integrity

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 20 Mar 2014 14:06:58 +0100
Message-ID: <532AE7F2.1030901@mozilla.com>
To: Jacob Hoffman-Andrews <jsha@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 20.03.2014 07:27, Jacob Hoffman-Andrews wrote:> If we could add SRI
to JS from *..twimg.com <http://twimg.com/>, we
> would not be as
> dependent on the security of those additional CAs, nor would we need
> to trust our CDNs not to serve poisoned JS.

This is exactly one of the intended use cases: Reducing the authority an
origin selected for inclusion has on your document.

> I've heard some talk about using SRI with HTTP resources, with user
> agents possibly bypassing mixed content checks in that situation. I think
> bypassing mixed content checks would be a bad idea, since SRI does
> not provide the confidentiality that HTTPS is supposed to provide.

This is an open question and we haven't made any decision yet. I agree
with you, but let me sum up my reasoning behind this:
SRI+HTTP can not replace HTTPS. While SRI helps preventing active
attacks and detecting modified resources, it does not provide the
confidentiality that HTTPS provides (though the confidentiality is of
course limited, given the data one can gather from response lengths and
IP addresses).

Thank you for the feedback,
Received on Thursday, 20 March 2014 13:07:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC