W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 17 Sep 2015 10:28:33 +0200
Message-ID: <CADnb78ho2e4qc_=6WFcm_sjMXjDMKNVyuPzgrT0n7AUgMiLJdQ@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Sep 17, 2015 at 1:52 AM, Francois Marier <francois@mozilla.com> wrote:
> I discussed this with my colleagues and we couldn't think of way that
> this would lead to a security bug, but I thought I should mention it here.

It doesn't lead to a security bug, but it can lead to observably
different behavior, since we won't dispatch an error event for the
second element. That seems bad. If this cache is used across
documents, as with "list of available images" (a standardized concept)
there's also CSP implications.

Received on Thursday, 17 September 2015 08:29:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC