Re: SRI: edge case when loading the same stylesheet twice in a document

On Sat, Sep 19, 2015 at 4:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> However, consider the threat model. The primary threat is that the host
>> of the stylesheet IS NOT trustworthy, but the host of the web page IS
>> trustworthy.
>>
>
> In this case the page author is clearly untrustworthy because two
> different hashes were given to the same resource.​
>

Not necessarily.  If a third party hosts two different versions of a
subresource without changing the filename or path, the first party might
include the hash of both, knowing one of the two should succeed.


> If there are two different hash algorithms it's possible they really refer
> to the same content--do we have to check both just in case there's an
> unknown hash collision attack for one of them? Hopefully we'll drop support
> for weak hashes before that's an issue.
>
>  If they use the same hash algorithm and the first one passes the styles
> are in the page and affecting layout. The sole effect of this bug is that
> the error message for the second instance is not reported. If the order
> were reversed then the first error is reported and then the second one
> loads as expected.
>
> -
> ​Dan Veditz​
>
>

Received on Monday, 21 September 2015 01:06:51 UTC