- From: Frederik Braun <fbraun@mozilla.com>
- Date: Mon, 06 Oct 2014 10:53:38 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
We've been arguing about allowing SRI serve as a cache key before: The idea was: Once the browser knows that two resources on distinct origins are meant to be the same one (i.e., same hash), it could keep just one cache entry. This would result in a performance improvement for all websites, regardless of the origin this resource is hosted at. But Michal Zalewski, raised the valid concern that it's easy to get evil scripts into the browser cache (by someone visiting evil.com). Making the user agent believe that this resource is indeed available on innocent websites is then just an XSS vulnerability away. This cache poisoning attack would also bypass CSP, as the script is believed to be available on a whitelisted origin. My colleague Mark Goodwin came up with this: What if CSP's hash sources could be a solution to this problem? If the website explicitly says that it allows a script with this hash in its CSP policy, isn't it less likely to be fake? What do you think? Thanks, Frederik
Received on Monday, 6 October 2014 08:54:07 UTC