W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [SRI] To trust or not to trust a CDN

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 30 Oct 2014 09:46:44 +0100
Message-ID: <5451FAF4.50701@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 29.10.2014 18:14, Devdatta Akhawe wrote:
>> We're talingk about a two attacks on two applications that need to occur for
>> all of this to work. That is, if I just compromise example.com, all I can do
>> is modify foo.js, which the integrity check blocks. If I compromise the
>> client app (let's call it bar.com) with an XSS, I can inject an
>> integrity-less link to foo.js... but that's only concerning if I *also*
>> compromised example.com.
> 
> Exactly! Lets first get to a world where you need two attacks, then we
> can worry about how to help against the two attacks. Right now, we are
> not even sure if something like SRI is practical on the web.
> 
> -dev
> 

OK, you convinced me. And I agree that requiring two attacks where one
is a fully compromised CDN is quite a high bar. Just wanted to make sure
this is captured, as my least-privilege sense was tingling.
Received on Thursday, 30 October 2014 08:47:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC