W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Francois Marier <francois@mozilla.com>
Date: Sun, 20 Sep 2015 19:48:40 -0700
Message-ID: <55FF7008.20204@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 20/09/15 06:06 PM, Tanvi Vyas wrote:
> On Sat, Sep 19, 2015 at 4:14 PM, Daniel Veditz <dveditz@mozilla.com
> <mailto:dveditz@mozilla.com>> wrote:
>     On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org
>     <mailto:brian@briansmith.org>> wrote:
> 
>         However, consider the threat model. The primary threat is that
>         the host of the stylesheet IS NOT trustworthy, but the host of
>         the web page IS trustworthy.
> 
>     In this case the page author is clearly untrustworthy because two
>     different hashes were given to the same resource.‚Äč
> 
> Not necessarily.  If a third party hosts two different versions of a
> subresource without changing the filename or path, the first party might
> include the hash of both, knowing one of the two should succeed.

If I understand the use case you're describing, the author would most
likely use:

<html>
<head>
<link rel="stylesheet" href="style.css"
      integrity="sha256-hash1 sha256-hash2">
</head>
</html>

Francois
Received on Monday, 21 September 2015 02:49:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC