Re: SRI: edge case when loading the same stylesheet twice in a document from Daniel Veditz on 2015-09-19 (public-webappsec@w3.org from September 2015)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sat, 19 Sep 2015 16:14:21 -0700
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCC-EhbiBFA+eGXuzmQYF+aNXb1bBxYyCaUF5byPjPurNQ@mail.gmail.com>

On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org> wrote:

> However, consider the threat model. The primary threat is that the host of
> the stylesheet IS NOT trustworthy, but the host of the web page IS
> trustworthy.
>

In this case the page author is clearly untrustworthy because two different
hashes were given to the same resource. If there are two different hash
algorithms it's possible they really refer to the same content--do we have
to check both just in case there's an unknown hash collision attack for one
of them? Hopefully we'll drop support for weak hashes before that's an
issue.

 If they use the same hash algorithm and the first one passes the styles
are in the page and affecting layout. The sole effect of this bug is that
the error message for the second instance is not reported. If the order
were reversed then the first error is reported and then the second one
loads as expected.

-
Dan Veditz

Received on Saturday, 19 September 2015 23:14:49 UTC