- From: Conrad Irwin <conrad.irwin@gmail.com>
- Date: Wed, 16 Sep 2015 17:26:51 -0700
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAOTq_pudbFd7g5K8iqGHDp8GgG0KGZc4qf5_dp7t9cjHKfxbcQ@mail.gmail.com>
I think this is only safe if there's no way to make the page re-load the same stylesheet. If you remove the link element and re-add it in javascript, will that cause another request? If so a malicious person could detect whether this is the first load of the stylesheet or the second, and serve different content both times. Conrad On Wed, Sep 16, 2015 at 4:52 PM, Francois Marier <francois@mozilla.com> wrote: > While testing the Firefox implementation of SRI using the > web-platform-tests, I found this edge case: > > <html> > <head> > <link rel="stylesheet" href="style.css" > integrity="sha256-correcthash"> > <link rel="stylesheet" href="style.css" > integrity="sha256-incorrecthash"> > </head> > </html> > > In Firefox, because of internal optimizations in the CSS loader, we > don't check integrity if we have already successfully loaded a > stylesheet (with same URI + CORS mode + referrer) within a document. > > It's not related to the HTTP cache, but rather to an in-memory data > structure that gets reused if an author loads the same stylesheet more > than once in a document. If you reload the page or load the stylesheet > from a different document, its integrity gets checked again. > > I discussed this with my colleagues and we couldn't think of way that > this would lead to a security bug, but I thought I should mention it here. > > Francois > >
Received on Thursday, 17 September 2015 00:28:29 UTC