- From: Christian Nygaard <christiannygaard@gmail.com>
- Date: Sat, 5 Sep 2015 10:57:37 +0200
- To: Ángel González <angel@16bits.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAMD5jYng8dfWNFVmrY7Ekq6w1M4gCMZr4YeLonQY_MrSV0Spkw@mail.gmail.com>
Example website <head> <integrity>sha256-jnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M</integrity> <version>20150913-1343-0000001"</version> <authorative-origin="https://example.com"> </head> ... <img src="logo.png" integrity="<hash of site logo>" /> <href="large.iso" integrity=sha512-"> <video> <source src="subresource-integrity-tutorial.mp4" integrity="sha256-"> </video> One could then fetch a version of links from peers via chunks ala Bittorrent inspired WebRTC the fastest approach I can think of is P2P assisted delivery where the authoritative server helps the client if needed but peers can assist. Having hashes on content could also help anti-malware and antivirus to keep known good hashes of linked content. GET /large.iso HTTP/1.1 Host: example.com Accept-Encoding: hash-sha256 Does one not need both integrity and signature when its distributed? Like in PGP and GPG? On Fri, Sep 4, 2015 at 10:47 PM, Ángel González <angel@16bits.net> wrote: > On Richard Barnes wrote: > > This was discussed during the development of SRI. It was not added > > because it would provide the ability for a calling site to "speak > > for" another origin, in the sense that the browser would load the > > content even the origin server would have sent something completely > > different. > > > > --Richard > > Expanding the above: > If host A could use the hash to get "data from host B" that was't > really in host B, it might be able to escape same-origin policy. > > > That shouldn't be an issue if the request points to the same origin, > it's passive content or it was sandboxed so the origin didn't matter.* > > However, it would be horible for privacy: > Here are the pages you recently visited: > <img src="missing.png" integrity="<hash of google logo>" /> > <img src="missing.png" integrity="<hash of facebook logo>" /> > <img src="missing.png" integrity="<hash of youtube logo>" /> > <img src="missing.png" integrity="<hash of yahoo logo>" /> > <img src="missing.png" integrity="<hash of amazon logo>" /> > <img src="missing.png" integrity="<hash of wikipedia logo>" /> > <img src="missing.png" integrity="<hash of twitter logo>" /> > > Moreover, when combined with onload/onerror or simple time measuring, > that could be sent back to the server. > > > *It would be great source for code obfuscation, though. > >
Received on Saturday, 5 September 2015 08:58:08 UTC