- From: Francois Marier <francois@mozilla.com>
- Date: Wed, 16 Sep 2015 16:52:04 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
While testing the Firefox implementation of SRI using the
web-platform-tests, I found this edge case:
<html>
<head>
<link rel="stylesheet" href="style.css"
integrity="sha256-correcthash">
<link rel="stylesheet" href="style.css"
integrity="sha256-incorrecthash">
</head>
</html>
In Firefox, because of internal optimizations in the CSS loader, we
don't check integrity if we have already successfully loaded a
stylesheet (with same URI + CORS mode + referrer) within a document.
It's not related to the HTTP cache, but rather to an in-memory data
structure that gets reused if an author loads the same stylesheet more
than once in a document. If you reload the page or load the stylesheet
from a different document, its integrity gets checked again.
I discussed this with my colleagues and we couldn't think of way that
this would lead to a security bug, but I thought I should mention it here.
Francois
Received on Wednesday, 16 September 2015 23:52:33 UTC