Re: [SRI] may only be used in documents in secure origins from Frederik Braun on 2014-11-03 (public-webappsec@w3.org from November 2014)

From: Frederik Braun <fbraun@mozilla.com>
Date: Mon, 3 Nov 2014 09:32:10 -0800 (PST)
To: Pete Freitag <pete@foundeo.com>
Cc: public-webappsec@w3.org
Message-ID: <878177688.30928291.1415035930039.JavaMail.zimbra@mozilla.com>

There is a clear benefit in doing SRI on a document delivered over an unauthenticated origin, I agree.
SRI over HTTP is making the situation a bit safer than no SRI at all.

Although it would be desirable for every site to use HTTPS,
I don't think that SRI is the right way of promoting this.

(I feel like I have anticipated this thread https://github.com/w3c/webappsec/pull/74#)

----- Ursprüngliche Mail -----
> Von: "Pete Freitag" <pete@foundeo.com>
> An: public-webappsec@w3.org
> Gesendet: Montag, 3. November 2014 18:01:43
> Betreff: [SRI] may only be used in documents in secure origins
> 
> Hi Folks,
> 
> I was playing around with SRI in Chrome Canary (40.0.2208.0). When my test
> document was loaded over HTTP/80 I get the error:
> 
> "The 'integrity' attribute may only be used in documents in secure origins."
> 
> And the resource is not loaded (even if the integrity is valid).
> 
> I see that spec says "Integrity metadata delivered over an insecure channel
> provides no security benefit"
> https://w3c.github.io/webappsec/specs/subresourceintegrity/#insecure-channels-remain-insecure-1
> 
> 
> I don't think that statement is totally accurate. There is still a benefit
> if the sub-resource origin is compromised and the requesting resource is
> not.
> 
> Suppose https://jquery.com wanted to put this up on their homepage so
> developers could just copy and paste:
> 
> <script src="//code.jquery.com/jquery-1.10.2.min.js"
> 
> integrity="ni:///sha256;C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=?ct=application/javascript">
> 
> Any site that copied the code with the integrity hash will be protected if
> code.jquery.com is compromised.
> 
> If the current blocking remains, then jquery.com would either not include
> the integrity because it would fail for many developers, or they would have
> to add an explanation that you can only use integrity when your page is
> loaded over HTTPS and provide two code snippets (potentially confusing).
> 
> If you allow integrity in documents hosted on insecure origins the number
> of sites the a CDN attacker can compromise will be reduced significantly.
> 
> Keep up the great work!
> 
> --
> Pete Freitag
>

Received on Monday, 3 November 2014 17:32:37 UTC