Re: [SRI] Shared Cache through `sharedcache` attribute from Devdatta Akhawe on 2015-10-14 (public-webappsec@w3.org from October 2015)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 13 Oct 2015 22:11:56 -0700
To: Francois Marier <francois@mozilla.com>
Cc: public-webappsec@w3.org
Message-ID: <CAPfop_3u61AWMgSh8dTFdssPmYAvob2c_e8Xmn8=gbe7EUzM8Q@mail.gmail.com>

IIRC, the trickier bit is around csp.

I load attacker.com/evil.js with shared cache and integrity foo. Then I
inject  "https://allowedbycsp.com/test.js" with the shared cache attribute
to on and integrity set to foo. This will load evil.js, even though the csp
whitelisted site has no such resource

This is solvable but needs collaboration with the csp spec. But might help
explain why we decided this was too tricky for v1
On Oct 13, 2015 2:29 PM, "Francois Marier" <francois@mozilla.com> wrote:

> On 13/10/15 09:08 AM, Romuald Brillout wrote:
> > The idea of using the digest defined in the `integrity` attribute as key
> > for a cross-origin shared cache has been discussed before.
> > It seems that the idea has been rejected.
> > However I can't find the reason why it has been rejected.
>
> The main reason why it was postponed to the next version of the SRI spec
> is that it was likely to delay both the implementations and the spec if
> included in v1.
>
> Thanks for re-opening a bug for this.
>
> Francois
>
>

Received on Wednesday, 14 October 2015 05:12:38 UTC