W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

SRI: data URIs and Blob URL

From: Jerry Qu <quguangyu@gmail.com>
Date: Wed, 23 Sep 2015 23:50:11 +0800
Message-ID: <CAGGh6wz_o8n2brvwpVV-Gevbf16+oT9s_kVwWHrHgNqJ+OqU5g@mail.gmail.com>
To: public-webappsec@w3.org
hi,

While testing the Chrome and Firefox's implementation of SRI, I found
something interesting.

*1) Test SRI with data URIs:*

<script crossorigin="anonymous"
integrity="sha256-0URT8NZXh/hI7oaypQXNjC07bwnLB52GAjvNiCaN7Gc="
src="data:application/x-javascript,alert(%22hello%20world!%22);"></script>

*2) Test SRI with Blob URL:*

<script>
var blob = new Blob(['alert("hello world!");'], {type:
"application/x-javascript"});
var blobUrl = URL.createObjectURL(blob);
document.write('<script crossorigin="anonymous"
integrity="sha256-0URT8NZXh/hI7oaypQXNjC07bwnLB52GAjvNiCaN7Gc=" src="'+
blobUrl +'"></sc' + 'ript>');
</script>

*In Chrome : Version 46.0.2490.33 beta (64-bit)*

1) data URIs : Throw an exception.
Subresource Integrity: The resource
'data:application/x-javascript,alert(%22hello%20world!%22);' has an
integrity attribute, but the resource requires the request to be CORS
enabled to check the integrity, and it is not. The resource has not been
blocked, but no integrity check occurred.

2) Blob URL : Everything is OK.
The script will be executed with correct hash, won't be executed with
incorrect hash.

*In Firefox : 44.0a1 (2015-09-23)*

1) data URIs, 2) Blob URL : The script won't be executed, both with correct
hash and with incorrect hash.

May the SRI spec give some specific recommendations for this?

-- 

Jerry Qu (https://imququ.com)
Received on Wednesday, 23 September 2015 15:52:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC