W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sat, 19 Sep 2015 16:14:21 -0700
Message-ID: <CADYDTCC-EhbiBFA+eGXuzmQYF+aNXb1bBxYyCaUF5byPjPurNQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org> wrote:

> However, consider the threat model. The primary threat is that the host of
> the stylesheet IS NOT trustworthy, but the host of the web page IS
> trustworthy.

In this case the page author is clearly untrustworthy because two different
hashes were given to the same resource.​ If there are two different hash
algorithms it's possible they really refer to the same content--do we have
to check both just in case there's an unknown hash collision attack for one
of them? Hopefully we'll drop support for weak hashes before that's an

 If they use the same hash algorithm and the first one passes the styles
are in the page and affecting layout. The sole effect of this bug is that
the error message for the second instance is not reported. If the order
were reversed then the first error is reported and then the second one
loads as expected.

​Dan Veditz​
Received on Saturday, 19 September 2015 23:14:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC