On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org> wrote: > However, consider the threat model. The primary threat is that the host of > the stylesheet IS NOT trustworthy, but the host of the web page IS > trustworthy. > In this case the page author is clearly untrustworthy because two different hashes were given to the same resource. If there are two different hash algorithms it's possible they really refer to the same content--do we have to check both just in case there's an unknown hash collision attack for one of them? Hopefully we'll drop support for weak hashes before that's an issue. If they use the same hash algorithm and the first one passes the styles are in the page and affecting layout. The sole effect of this bug is that the error message for the second instance is not reported. If the order were reversed then the first error is reported and then the second one loads as expected. - Dan VeditzReceived on Saturday, 19 September 2015 23:14:49 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC