W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: subresource integrity and browser extensions

From: Mike West <mkwst@google.com>
Date: Wed, 26 Mar 2014 13:00:36 +0100
Message-ID: <CAKXHy=eXXgZ=7qy-=W1zCok_8JTJLTeBiaGh8Xn3uQmBbjh4Bw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Glenn Adams <glenn@skynav.com>, yan@eff.org
As Yan noted in her email, I agree with this position. Given the
conversations around similar topics for CSP, I think it probably reflects
the conensus of the group, and I've added non-normative language to this
effect in
https://github.com/w3c/webappsec/commit/b85f0fad4a1d38f57f3bcc457c6f32ad703f3ee8
.

CCing Glenn explicitly, since Cox seems concerned about this sort of
language in general. If another formal objection is coming, I'd like to
know about it sooner rather than later. :)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Mar 26, 2014 at 12:57 PM, Mike West <mkwst@google.com> wrote:

> Forwarding this on from Yan Zhu.
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> ---------- Forwarded message ----------
> From: Yan Zhu <yan@eff.org>
> Date: Tue, Mar 25, 2014 at 10:35 PM
> Subject: Fwd: subresource integrity and browser extensions
> To: Mike West <mkwst@google.com>
>
>
> Hi Mike,
>
> Somehow my emails to public-webappsec aren't going through even though
> I'm subscribed and getting emails :(. Feel free to forward or I can
> continue troubleshooting.
>
> -Yan
>
>
> -------- Original Message --------
> Subject: subresource integrity and browser extensions
> Date: Tue, 25 Mar 2014 13:27:10 -0700
> From: Yan Zhu <yan@eff.org>
> To: public-webappsec@w3.org <public-webappsec@w3.org>
>
> Hi all,
>
> Mike West seemed to suggest on EFF's crypto-ops mailing list thread
> about SRI [1] that the spec should address how SRI interacts with
> browser extensions. I thought I would cross-post my input as the
> maintainer of HTTPS Everywhere (https://eff.org/https-everywhere).
>
> [1] https://lists.eff.org/mailman/listinfo/crypto-ops. Archives are
> visible to list members only.
>
>
> Mike West wrote:
> > This proposal _would_, however, make it difficult for extensions to
> > redirect one request to another resource. That's something we should
> > address in the spec; extensions should be capable of bypassing these
> checks.
>
> This is the HTTPS Everywhere problem. It's possible that a resource will
> fail SRI checks when it's rewritten (correctly!) by our extension to its
> HTTPS version. This rewrite definitely happens before SRI gets a chance
> to work because it occurs inside a web request listener.
>
> Here are two examples of things we've seen in the real world:
> 1. The title of http://site.com is "Welcome to our site!" whereas the
> title of https://secure.site.com is "Welcome to our secure site!" The
> SSL version gets blocked when it's inside an iframe with a SRI hash for
> the non-SSL version.
> 2. The SSL version of a resource has all of its own subresource URL
> schemes changed from "http://" to "https://", because the developer has
> some server-side script that detects whether the resource is served over
> SSL and changes the URLs accordingly (perhaps for mixed content reasons).
>
> In general, there's no guarantee that a site is serving the exact same
> resource over HTTP and HTTPS; part of the job of HTTPS Everywhere
> contributors is to check and make sure that any differences are innocuous.
>
> The reasonable solution is to allow extensions to bypass SRI, though
> this may cause website operators and extension repository maintainers to
> complain that extensions shouldn't have the power to *disable* security
> features unless the user installed them for that purpose or had to check
> a box giving them permission to. Nonetheless, I think specifying that
> extensions can bypass SRI in the spec is a good idea if there are no
> objections.
>
> I'm not too concerned either way; we've survived more annoying breakages
> in the past.
>
> Hope this is useful,
> Yan
>
>
>
>
>
>
Received on Wednesday, 26 March 2014 12:01:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC