Re: [SRI] To trust or not to trust a CDN from Brian Smith on 2014-11-05 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 4 Nov 2014 19:31:37 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Joel Weinberger <jww@chromium.org>, Hatter Jiang OWS <hatter@openwebsecurity.org>, Ben Toews <btoews@github.com>, Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt4e9TVwAAXuBOmeGzPM4nMxUnOw-xVyUiNQdkTRKUE00g@mail.gmail.com>

Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> > We're talingk about a two attacks on two applications that need to occur
> for
> > all of this to work. That is, if I just compromise example.com, all I
> can do
> > is modify foo.js, which the integrity check blocks. If I compromise the
> > client app (let's call it bar.com) with an XSS, I can inject an
> > integrity-less link to foo.js... but that's only concerning if I *also*
> > compromised example.com.
>
> Exactly! Lets first get to a world where you need two attacks, then we
> can worry about how to help against the two attacks.

I agree that that would be good, and that's exactly what would have
happened if Frederik hadn't pointed out this issue before SRI were
standardized. But, since we know about the issue now, I think it is
reasonable to consider changes to the syntax that avoid the problem now, so
that we don't end up with a bad syntax later.

> Right now, we are
> not even sure if something like SRI is practical on the web.
>

Nobody's suggesting that people stop experimenting with the current syntax.
AFAICT, any results from experiments with the current syntax would carry
over to any new syntax.

Cheers,
Brian

Received on Wednesday, 5 November 2014 03:32:04 UTC