W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[SRI] may only be used in documents in secure origins

From: Pete Freitag <pete@foundeo.com>
Date: Mon, 3 Nov 2014 12:01:43 -0500
Message-ID: <CAADZ8V7rU4ymcHKqJGxe0M=nxb_kbK_VJzhrjHzQ_4r-+x+Smw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Folks,

I was playing around with SRI in Chrome Canary (40.0.2208.0). When my test
document was loaded over HTTP/80 I get the error:

"The 'integrity' attribute may only be used in documents in secure origins."

And the resource is not loaded (even if the integrity is valid).

I see that spec says "Integrity metadata delivered over an insecure channel
provides no security benefit"
https://w3c.github.io/webappsec/specs/subresourceintegrity/#insecure-channels-remain-insecure-1


I don't think that statement is totally accurate. There is still a benefit
if the sub-resource origin is compromised and the requesting resource is
not.

Suppose https://jquery.com wanted to put this up on their homepage so
developers could just copy and paste:

<script src="//code.jquery.com/jquery-1.10.2.min.js"

integrity="ni:///sha256;C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=?ct=application/javascript">

Any site that copied the code with the integrity hash will be protected if
code.jquery.com is compromised.

If the current blocking remains, then jquery.com would either not include
the integrity because it would fail for many developers, or they would have
to add an explanation that you can only use integrity when your page is
loaded over HTTPS and provide two code snippets (potentially confusing).

If you allow integrity in documents hosted on insecure origins the number
of sites the a CDN attacker can compromise will be reduced significantly.

Keep up the great work!

--
Pete Freitag
Received on Monday, 3 November 2014 17:02:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC