W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: edge case when loading the same stylesheet twice in a document

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Sun, 20 Sep 2015 20:57:50 -0700
Message-ID: <CALC7Gs7Qx_qeNk1Htx_EWJZaE-p8-15yN0v55a7_a=k7BN5guw@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Yes, that is true.  Thanks Francois!

On Sun, Sep 20, 2015 at 7:48 PM, Francois Marier <francois@mozilla.com>
wrote:

> On 20/09/15 06:06 PM, Tanvi Vyas wrote:
> > On Sat, Sep 19, 2015 at 4:14 PM, Daniel Veditz <dveditz@mozilla.com
> > <mailto:dveditz@mozilla.com>> wrote:
> >     On Thu, Sep 17, 2015 at 5:04 PM, Brian Smith <brian@briansmith.org
> >     <mailto:brian@briansmith.org>> wrote:
> >
> >         However, consider the threat model. The primary threat is that
> >         the host of the stylesheet IS NOT trustworthy, but the host of
> >         the web page IS trustworthy.
> >
> >     In this case the page author is clearly untrustworthy because two
> >     different hashes were given to the same resource.‚Äč
> >
> > Not necessarily.  If a third party hosts two different versions of a
> > subresource without changing the filename or path, the first party might
> > include the hash of both, knowing one of the two should succeed.
>
> If I understand the use case you're describing, the author would most
> likely use:
>
> <html>
> <head>
> <link rel="stylesheet" href="style.css"
>       integrity="sha256-hash1 sha256-hash2">
> </head>
> </html>
>
> Francois
>
>
Received on Monday, 21 September 2015 03:58:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC