W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Francois Marier <francois@mozilla.com>
Date: Thu, 17 Sep 2015 09:17:58 -0700
Message-ID: <55FAE7B6.7020303@mozilla.com>
To: public-webappsec@w3.org
On 17/09/15 01:10 AM, Frederik Braun wrote:
> On 17.09.2015 02:26, Conrad Irwin wrote:
>> If you remove the link element and re-add it in javascript, will that
>> cause another request?
>>
>> If so a malicious person could detect whether this is the first load of
>> the stylesheet or the second, and serve different content both times.
> 
> That's a good point. But is it going to reuse the same data structure if
> the same URL returns a different resource? I was hoping not.

If it causes another network request (or a request to the HTTP cache)
then we'll check SRI on it. It's only when we've successfully loaded a
stylesheet in the same document that we skip the network load and by
extension any further SRI checks.

Francois
Received on Thursday, 17 September 2015 16:18:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC