W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2017

Re: [SRI] Proposal for extension: copyof: a reversed "fallbacksrc" attribute.

From: Ángel <angel@16bits.net>
Date: Sat, 02 Dec 2017 22:00:48 +0100
Message-ID: <1512248448.1277.10.camel@16bits.net>
To: public-webappsec@w3.org
Hello Willem

You don't really need an extra attribute for this.

When finding a tag 
<script src="script/jslibrary.js" 
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC">


The browser could notice that it has cached the content with hash
sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC

(that it downloaded from https://cdn.popular.library.example/jslibrary.js)

and simply use that.


The main problem with that approach is that it allows peeking into the
browser's cache. Thus, if the hash is actually the one of certain
subversive content disliked by my regime, I could use that to find which
users visited such content.

Requiring that the url is included and also matches (partially)
restricts this, so it is an argument for not going such route.

Still, we can combine them just with the mentioned fallbacksrc.


Your example:
<script src=”script/jslibrary.js” 
copyof=”https://cdn.popular.library.example/jslibrary.js”
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC">

could be written as
<script src=”script/jslibrary.js” 
fallbacksrc=”https://cdn.popular.library.example/jslibrary.js”
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC">

The would file would always be loaded from the visited site (well,
unless it gets removed), but the UA could see that it has such content
(matching the integrity hash) on the cache for the fallbacksrc, and use
that directly, instead of initiating a fetch from the visited site.


Best regards
Received on Saturday, 2 December 2017 21:01:18 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 2 December 2017 21:01:18 UTC