W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Wed, 16 Sep 2015 17:26:51 -0700
Message-ID: <CAOTq_pudbFd7g5K8iqGHDp8GgG0KGZc4qf5_dp7t9cjHKfxbcQ@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I think this is only safe if there's no way to make the page re-load the
same stylesheet.

If you remove the link element and re-add it in javascript, will that cause
another request?

If so a malicious person could detect whether this is the first load of the
stylesheet or the second, and serve different content both times.

Conrad

On Wed, Sep 16, 2015 at 4:52 PM, Francois Marier <francois@mozilla.com>
wrote:

> While testing the Firefox implementation of SRI using the
> web-platform-tests, I found this edge case:
>
> <html>
> <head>
> <link rel="stylesheet" href="style.css"
>       integrity="sha256-correcthash">
> <link rel="stylesheet" href="style.css"
>       integrity="sha256-incorrecthash">
> </head>
> </html>
>
> In Firefox, because of internal optimizations in the CSS loader, we
> don't check integrity if we have already successfully loaded a
> stylesheet (with same URI + CORS mode + referrer) within a document.
>
> It's not related to the HTTP cache, but rather to an in-memory data
> structure that gets reused if an author loads the same stylesheet more
> than once in a document. If you reload the page or load the stylesheet
> from a different document, its integrity gets checked again.
>
> I discussed this with my colleagues and we couldn't think of way that
> this would lead to a security bug, but I thought I should mention it here.
>
> Francois
>
>
Received on Thursday, 17 September 2015 00:28:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC