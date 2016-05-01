I really appreciate the clarity of this post. The author is building up the groundwork without skipping steps that may be obvious to many readers. I of course knew the purpose of a hash before reading the article, but some people don't - and that sentence clearly let those users know why the hash matters without making it less readable for knowledgeable readers.
Writing clarity matters.
It's not really as useful if you are serving your static assets from the same place as the HTML (and you always use HTTPS) but if you load your js/css on another server SRI can still provide some protection.
[0] https://github.com/waysact/webpack-subresource-integrity
[1] https://github.com/waysact/webpack-subresource-integrity#pro...
Say I have jQuery previously loaded a page that included jQuery from CDNJS and now I'm in China and another site tries to load jQuery from Google's CDN.
Currently that request would get blocked by the great firewall. But since the browser should know that this file matches one it has seen (and cached) before it should be able to just serve the cached file.
This could also save a network request even if I'm linking to a self-hosted file on my own servers if I include the hash.
[1] https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Proto...
There is Cache-Control: immutable
https://hacks.mozilla.org/2017/01/using-immutable-caching-to...
https://bitsup.blogspot.de/2016/05/cache-control-immutable.h...
Not that many people use CSP, but that's the excuse I've heard for not allowing cross-origin caching.
The problem is that www.victim.example/evil.js doesn't exist, and never did, but your browser won't know that if it's in the cache -- this gives you a way of faking files existing on other servers at the URL of your choice, and as long as they're in the cache you'll get away with it.
and from [2]:
0. evil.example hosts evil.js, <script src=evil.js integrity=foo>.
1. you visit evil.example and the browser stores evil.js with the cache key "foo".
2. you visit victim.example which has an XSS vulnerability, but victim.example thinks it is safe because it uses Content Security Policy and does not allow inline scripts or scripts form evil domains.
3. the XSS attack is loading <script src=www.victim.example/evil.js hash=foo>
4. the browser detects that "foo" is a known hash key and loads the evil.js from cache. Thinking that the file is hosted on victim.example - when the file is in fact not even present.
5. the evil.js script executes in the context of victim.example, even though they use a Content Security Policy to prevent XSS from being exploitable.
[1] https://news.ycombinator.com/item?id=10310594 [2] https://news.ycombinator.com/item?id=10311555 [3] https://news.ycombinator.com/item?id=10312333
(parts first posted here: https://news.ycombinator.com/item?id=13493407#13495482)
[5] https://news.ycombinator.com/item?id=13495482
[6] https://github.com/w3c/webappsec-subresource-integrity/issue...
As a caveat, there's info leaking here depending on whether the cache hits/misses, so this would need to be opt-in from the cache source, e.g. You set up subresource integrity and also say "allow other domains to load this resource from the cache."
Call it subresource sharing?
Edit: opt-in would need to be on both "sides" (sharer and sharee).
If the site doesn't want to leak that information, it doesn't participate in cache sharing. Since sharing is opt-in, sites won't unknowingly leak this information.
Edit: whoops. I see what you mean. I missed an edit while modifying an earlier draft and left the opt-in only on one side, the sharer.
Your stripe js, scary ad networks js, front-end analytics companies. SRI is really neat and helps protect yourself from these many 3rd parties being pwned.
If jQuery is compromised you'll detect it and download from different location but for stripe there is no fallback.
If they want you to stay up-to-date, they'll provide a piece of PHP/Node that emits the latest URL/SRI tag.
Stripe rolls out a fix for a security issue or other bug in their JS. This breaks your subresource-integrity check. The didn't want you to stop accepting payments, they wanted to fix a vuln.
That hampers the usefulness of using subresource-integrity on 3rd-party resources today (which is what yeldarb suggested). Perhaps in the future the 3rd party would provide a script that emits the URL/SRI, but that isn't today.
the 3rd party would provide a script that emits the URL/SRI
Then how do you verify the integrity the integrity for the tag?
And anything important like your financial provider is usually very risk-averse to breaking changes, and should give plenty of notice for an update. And if you're including a hash, you don't care about automatic updates anyways.
I can understand trusting one CDN for performance reasons. But do people really add so many different dependencies on their sites? Should I be doing that instead?
This doesn't make sense to me. Why shouldn't I be able to perform integrity checking on resources from non-CORS domains?
See, e.g., <https://github.com/w3c/webappsec/issues/418> for some broader discussion.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...
