W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Brian Smith <brian@briansmith.org>
Date: Thu, 17 Sep 2015 17:04:52 -0700
Message-ID: <CAFewVt56_D8=1kD9Hap-ncAhWMo8Fneovj0BcMDfin2-LF_0rw@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 16, 2015 at 4:52 PM, Francois Marier <francois@mozilla.com>
wrote:

> <html>
> <head>
> <link rel="stylesheet" href="style.css"
>       integrity="sha256-correcthash">
> <link rel="stylesheet" href="style.css"
>       integrity="sha256-incorrecthash">
> </head>
> </html>
>
> In Firefox, because of internal optimizations in the CSS loader, we
> don't check integrity if we have already successfully loaded a
> stylesheet (with same URI + CORS mode + referrer) within a document.
>
> It's not related to the HTTP cache, but rather to an in-memory data
> structure that gets reused if an author loads the same stylesheet more
> than once in a document. If you reload the page or load the stylesheet
> from a different document, its integrity gets checked again.
>

Presumably it wouldn't be terribly difficult to add the digest to that data
structure so that this is a non-issue.

However, consider the threat model. The primary threat is that the host of
the stylesheet IS NOT trustworthy, but the host of the web page IS
trustworthy. Thus, the attacker can modify the stylesheet but not the web
page. Therefore under SRI's primary threat model there is no way for the
attacker to induce this condition, so there's no security issue.

(Note that your particular example doesn't seem very realistic because the
untrusted host is the same as the trusted host. In general, it is a good
idea to always use separate hosts in SRI examples, so that the examples
make sense when considering SRI's threat model.)

Cheers,
Brian
Received on Friday, 18 September 2015 00:05:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC