Re: Caching of web content based on hashes? from Christian Nygaard on 2015-09-05 (public-webappsec@w3.org from September 2015)

From: Christian Nygaard <christiannygaard@gmail.com>
Date: Sat, 5 Sep 2015 10:57:37 +0200
To: Ángel González <angel@16bits.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAMD5jYng8dfWNFVmrY7Ekq6w1M4gCMZr4YeLonQY_MrSV0Spkw@mail.gmail.com>

Example website

<head>
    <integrity>sha256-jnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M</integrity>
  <version>20150913-1343-0000001"</version>
  <authorative-origin="https://example.com">
</head>
...
<img src="logo.png" integrity="<hash of site logo>" />
<href="large.iso" integrity=sha512-">
<video>
  <source src="subresource-integrity-tutorial.mp4" integrity="sha256-">
</video>

One could then fetch a version of links from peers via chunks ala
Bittorrent inspired WebRTC the fastest approach I can think of is P2P
assisted delivery where the authoritative server helps the client if needed
but peers can assist. Having hashes on content could also help anti-malware
and antivirus to keep known good hashes of linked content.

    GET /large.iso HTTP/1.1
    Host: example.com
    Accept-Encoding: hash-sha256

Does one not need both integrity and signature when its distributed? Like
in PGP and GPG?



On Fri, Sep 4, 2015 at 10:47 PM, Ángel González <angel@16bits.net> wrote:

> On Richard Barnes wrote:
> > This was discussed during the development of SRI.  It was not added
> > because it would provide the ability for a calling site to "speak
> > for" another origin, in the sense that the browser would load the
> > content even the origin server would have sent something completely
> > different.
> >
> > --Richard
>
> Expanding the above:
> If host A could use the hash to get "data from host B" that was't
> really in host B, it might be able to escape same-origin policy.
>
>
> That shouldn't be an issue if the request points to the same origin,
> it's passive content or it was sandboxed so the origin didn't matter.*
>
> However, it would be horible for privacy:
>  Here are the pages you recently visited:
>  <img src="missing.png" integrity="<hash of google logo>" />
>  <img src="missing.png" integrity="<hash of facebook logo>" />
>  <img src="missing.png" integrity="<hash of youtube logo>" />
>  <img src="missing.png" integrity="<hash of yahoo logo>" />
>  <img src="missing.png" integrity="<hash of amazon logo>" />
>  <img src="missing.png" integrity="<hash of wikipedia logo>" />
>  <img src="missing.png" integrity="<hash of twitter logo>" />
>
> Moreover, when combined with onload/onerror or simple time measuring,
> that could be sent back to the server.
>
>
> *It would be great source for code obfuscation, though.
>
>

Received on Saturday, 5 September 2015 08:58:08 UTC