- From: Pete Freitag <pete@foundeo.com>
- Date: Mon, 3 Nov 2014 12:01:43 -0500
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAADZ8V7rU4ymcHKqJGxe0M=nxb_kbK_VJzhrjHzQ_4r-+x+Smw@mail.gmail.com>
Hi Folks, I was playing around with SRI in Chrome Canary (40.0.2208.0). When my test document was loaded over HTTP/80 I get the error: "The 'integrity' attribute may only be used in documents in secure origins." And the resource is not loaded (even if the integrity is valid). I see that spec says "Integrity metadata delivered over an insecure channel provides no security benefit" https://w3c.github.io/webappsec/specs/subresourceintegrity/#insecure-channels-remain-insecure-1 I don't think that statement is totally accurate. There is still a benefit if the sub-resource origin is compromised and the requesting resource is not. Suppose https://jquery.com wanted to put this up on their homepage so developers could just copy and paste: <script src="//code.jquery.com/jquery-1.10.2.min.js" integrity="ni:///sha256;C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=?ct=application/javascript"> Any site that copied the code with the integrity hash will be protected if code.jquery.com is compromised. If the current blocking remains, then jquery.com would either not include the integrity because it would fail for many developers, or they would have to add an explanation that you can only use integrity when your page is loaded over HTTPS and provide two code snippets (potentially confusing). If you allow integrity in documents hosted on insecure origins the number of sites the a CDN attacker can compromise will be reduced significantly. Keep up the great work! -- Pete Freitag
Received on Monday, 3 November 2014 17:02:31 UTC