W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

[SRI] To trust or not to trust a CDN

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 28 Oct 2014 21:02:21 +0100
Message-ID: <544FF64D.7060306@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Subresource Integrity is supposed to help not having to trust CDNs. The
idea is that a compromised JavaScript library on another origin can not
harm the web page. This is in contrast to CSP having to trust the whole

If I want to use CSP I am saying "I trust this whole origin". If I want
to use SRI I say "I do not trust this origin, but that file is fine".

With SRI in place means we will put an untrusted origin (it's untrusted
- otherwise we wouldn't use SRI?) into the CSP whitelist. Meaning that
every file from this untrusted origin is fine.

This is a weird contradiction. Assuming XSS and thinking the CDN may
indeed become evil, an attacker may just include <script
src="https://cdn.example/evil.js"> instead of <script
src="https://cdn.example/lib.js integrity=valid> and it will work :(

I wonder if this may be solved with CSP hash-src, though hash-src is
only for inline scripts, not other-origin scripts.
Maybe because of the privacy concerns that this would allow learning the
hash of cross-origin resources?
This would require CORS-enabled (just like SRI) then.
Received on Tuesday, 28 October 2014 20:02:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC