[integrity] content-addressable cache?

We've been arguing about allowing SRI serve as a cache key before:

The idea was: Once the browser knows that two resources on distinct
origins are meant to be the same one (i.e., same hash), it could keep
just one cache entry. This would result in a performance improvement for
all websites, regardless of the origin this resource is hosted at.

But Michal Zalewski, raised the valid concern that it's easy to get evil
scripts into the browser cache (by someone visiting evil.com). Making
the user agent believe that this resource is indeed available on
innocent websites is then just an XSS vulnerability away. This cache
poisoning attack would also bypass CSP, as the script is believed to be
available on a whitelisted origin.

My colleague Mark Goodwin came up with this:

What if CSP's hash sources could be a solution to this problem? If
the website explicitly says that it allows a script with this hash in
its CSP policy, isn't it less likely to be fake?

What do you think?


Received on Monday, 6 October 2014 08:54:07 UTC