Re: SRI: edge case when loading the same stylesheet twice in a document from Frederik Braun on 2015-09-17 (public-webappsec@w3.org from September 2015)

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 17 Sep 2015 10:10:08 +0200
To: public-webappsec@w3.org
Message-ID: <55FA7560.4010908@mozilla.com>

On 17.09.2015 02:26, Conrad Irwin wrote:
> I think this is only safe if there's no way to make the page re-load the
> same stylesheet.
> 
> If you remove the link element and re-add it in javascript, will that
> cause another request?
> 
> If so a malicious person could detect whether this is the first load of
> the stylesheet or the second, and serve different content both times.

That's a good point. But is it going to reuse the same data structure if
the same URL returns a different resource? I was hoping not.

Received on Thursday, 17 September 2015 08:11:29 UTC