W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

Re: [SRI] Shared Cache through `sharedcache` attribute

From: Romuald Brillout <w3c@brillout.com>
Date: Tue, 22 Dec 2015 00:47:44 +0100
Message-ID: <CA+W74e1pRp7vXGx7raiPVyCs87uyxYd=efnm923xsx3LaKwS+w@mail.gmail.com>
To: public-webappsec@w3.org
As for CSP; scripts with sharedcache="true" should be treated equally as
inline scripts.

Because
 - We should assume that an attacker is able to add arbitrary assets to the
shared cache (e.g. via a website he owns)
 - Therefore setting the integrity attribute while sharedcache="true", is
equivalent to setting the content of the script to the source of the asset,
i.e. is equivalent to inline scripting

(this is a copy of a comment of
https://github.com/w3c/webappsec/issues/504 because
I don't know whether the mailing list or the GitHub repository supersedes)
Received on Monday, 21 December 2015 23:48:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC