W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

SRI: edge case when loading the same stylesheet twice in a document

From: Francois Marier <francois@mozilla.com>
Date: Wed, 16 Sep 2015 16:52:04 -0700
Message-ID: <55FA00A4.5040201@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
While testing the Firefox implementation of SRI using the
web-platform-tests, I found this edge case:

<html>
<head>
<link rel="stylesheet" href="style.css"
      integrity="sha256-correcthash">
<link rel="stylesheet" href="style.css"
      integrity="sha256-incorrecthash">
</head>
</html>

In Firefox, because of internal optimizations in the CSS loader, we
don't check integrity if we have already successfully loaded a
stylesheet (with same URI + CORS mode + referrer) within a document.

It's not related to the HTTP cache, but rather to an in-memory data
structure that gets reused if an author loads the same stylesheet more
than once in a document. If you reload the page or load the stylesheet
from a different document, its integrity gets checked again.

I discussed this with my colleagues and we couldn't think of way that
this would lead to a security bug, but I thought I should mention it here.

Francois
Received on Wednesday, 16 September 2015 23:52:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC