W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: [SRI] Shared Cache through `sharedcache` attribute

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 13 Oct 2015 22:11:56 -0700
Message-ID: <CAPfop_3u61AWMgSh8dTFdssPmYAvob2c_e8Xmn8=gbe7EUzM8Q@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: public-webappsec@w3.org
IIRC, the trickier bit is around csp.

I load attacker.com/evil.js with shared cache and integrity foo. Then I
inject  "https://allowedbycsp.com/test.js" with the shared cache attribute
to on and integrity set to foo. This will load evil.js, even though the csp
whitelisted site has no such resource

This is solvable but needs collaboration with the csp spec. But might help
explain why we decided this was too tricky for v1
On Oct 13, 2015 2:29 PM, "Francois Marier" <francois@mozilla.com> wrote:

> On 13/10/15 09:08 AM, Romuald Brillout wrote:
> > The idea of using the digest defined in the `integrity` attribute as key
> > for a cross-origin shared cache has been discussed before.
> > It seems that the idea has been rejected.
> > However I can't find the reason why it has been rejected.
> The main reason why it was postponed to the next version of the SRI spec
> is that it was likely to delay both the implementations and the spec if
> included in v1.
> Thanks for re-opening a bug for this.
> Francois
Received on Wednesday, 14 October 2015 05:12:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC