- From: Bertil Chapuis <bchapuis@gmail.com>
- Date: Wed, 19 Sep 2018 14:55:02 +0200
- To: dev.akhawe@gmail.com
- Cc: public-webappsec@w3.org, Kévin Huguenin <kevin.huguenin@unil.ch>, Igor Bilogrevic <ibilogrevic@google.com>, Mike West <mkwst@google.com>
Hello Dev, > There is a lot of history here > https://github.com/w3c/webappsec-subresource-integrity/issues/68 > The spec work is a bit tricky too given that you need to define the cross origin tag for anchor etc. But if @annevk is helping, I am confident most spec issues can be resolved. Thanks for the pointer, we noticed this issue but still had a couple of questions regarding the ongoing discussion. In our understanding, the download attribute currently informs the browser to download the resource pointed by a link, even if the Content-Disposition header of the HTTP response is not set. As suggested by @annevk, as this attribute only works for same-origin URLs, an exception for anchor tags that include both the cross-origin and the download attributes could be introduced. As these attributes are not mandatory, wouldn't it be more appropriate to simply trigger a download if the integrity tag is present (regardless of the MIME type, Content-Disposition or download attribute)? Note that from a security perspective, the integrity attribute is less needed in the same-origin context. As hinted by @mikewest, CORS is required to prevent the exposition of the content of the resource via hashes. However, if anchor tags containing integrity attributes systematically trigger downloads in a fire-and-forget fashion, would such exposition of the content occur? Best regards, Bertil
Received on Wednesday, 19 September 2018 12:55:34 UTC