W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [SRI] To trust or not to trust a CDN

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 29 Oct 2014 10:14:16 -0700
Message-ID: <CAPfop_1i=quRvCvDGN3kKph=0uXT4LHyFUZ9-FBi-b4U5PTf7g@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, Ben Toews <btoews@github.com>, Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> We're talingk about a two attacks on two applications that need to occur for
> all of this to work. That is, if I just compromise example.com, all I can do
> is modify foo.js, which the integrity check blocks. If I compromise the
> client app (let's call it bar.com) with an XSS, I can inject an
> integrity-less link to foo.js... but that's only concerning if I *also*
> compromised example.com.

Exactly! Lets first get to a world where you need two attacks, then we
can worry about how to help against the two attacks. Right now, we are
not even sure if something like SRI is practical on the web.

Received on Wednesday, 29 October 2014 17:15:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC