W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

SRI: edge case when loading the same stylesheet twice in a document

From: Francois Marier <francois@mozilla.com>
Date: Wed, 16 Sep 2015 16:52:04 -0700
Message-ID: <55FA00A4.5040201@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
While testing the Firefox implementation of SRI using the
web-platform-tests, I found this edge case:

<link rel="stylesheet" href="style.css"
<link rel="stylesheet" href="style.css"

In Firefox, because of internal optimizations in the CSS loader, we
don't check integrity if we have already successfully loaded a
stylesheet (with same URI + CORS mode + referrer) within a document.

It's not related to the HTTP cache, but rather to an in-memory data
structure that gets reused if an author loads the same stylesheet more
than once in a document. If you reload the page or load the stylesheet
from a different document, its integrity gets checked again.

I discussed this with my colleagues and we couldn't think of way that
this would lead to a security bug, but I thought I should mention it here.

Received on Wednesday, 16 September 2015 23:52:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC