- From: Ángel <angel@16bits.net>
- Date: Sat, 02 Dec 2017 22:00:48 +0100
- To: public-webappsec@w3.org
Hello Willem You don't really need an extra attribute for this. When finding a tag <script src="script/jslibrary.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> The browser could notice that it has cached the content with hash sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC (that it downloaded from https://cdn.popular.library.example/jslibrary.js) and simply use that. The main problem with that approach is that it allows peeking into the browser's cache. Thus, if the hash is actually the one of certain subversive content disliked by my regime, I could use that to find which users visited such content. Requiring that the url is included and also matches (partially) restricts this, so it is an argument for not going such route. Still, we can combine them just with the mentioned fallbacksrc. Your example: <script src=”script/jslibrary.js” copyof=”https://cdn.popular.library.example/jslibrary.js” integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> could be written as <script src=”script/jslibrary.js” fallbacksrc=”https://cdn.popular.library.example/jslibrary.js” integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> The would file would always be loaded from the visited site (well, unless it gets removed), but the UA could see that it has such content (matching the integrity hash) on the cache for the fallbacksrc, and use that directly, instead of initiating a fetch from the visited site. Best regards
Received on Saturday, 2 December 2017 21:01:18 UTC