W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Sun, 20 Sep 2015 18:06:23 -0700
Message-ID: <CALC7Gs7aXFuObmCW1Ou6742P7CYVA8kpDen=xVkxo6KUpPmFYw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Sep 19, 2015 at 4:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> However, consider the threat model. The primary threat is that the host
>> of the stylesheet IS NOT trustworthy, but the host of the web page IS
>> trustworthy.
>>
>
> In this case the page author is clearly untrustworthy because two
> different hashes were given to the same resource.​
>

Not necessarily.  If a third party hosts two different versions of a
subresource without changing the filename or path, the first party might
include the hash of both, knowing one of the two should succeed.


> If there are two different hash algorithms it's possible they really refer
> to the same content--do we have to check both just in case there's an
> unknown hash collision attack for one of them? Hopefully we'll drop support
> for weak hashes before that's an issue.
>
>  If they use the same hash algorithm and the first one passes the styles
> are in the page and affecting layout. The sole effect of this bug is that
> the error message for the second instance is not reported. If the order
> were reversed then the first error is reported and then the second one
> loads as expected.
>
> -
> ​Dan Veditz​
>
>
Received on Monday, 21 September 2015 01:06:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC