-
Notifications
You must be signed in to change notification settings - Fork 108
Use SRI to Detect More Libraries #26
Comments
@chris-barry Just to clarify, are you suggesting that this be used to detect common libraries that are self-hosted? If so, I think it is a good idea overall. However, some users might want to disable this functionality as it is a fingerprintable trait. That is, the fact that this add-on is installed could be detected by a web page you visit due to the behavior you describe. |
Yes, that's exactly what I am suggesting. And I completely agree about the fingerprintability. It should be opt-in, maybe under an "aggressive" mode, or similar. |
Currently, Decentraleyes doesn't get along well with The issue, as described in #16, is quite hard to tackle as it seems that there's no way to tell if these attributes are present in the DOM when looking at an intercepted HTTP request. Also, the corresponding page is still mostly unparsed when the requests are sent out. So we'll need to find another way. Once the related issue is solved (there has to be a way to detect the presence of these attributes on request interception), we can indeed use the resulting information to power this feature. Thanks for the suggestion! Any further suggestions would, of course, be greatly appreciated. |
This is a really neat idea! But allow me to briefly explain a security problem that comes with using an SRI hash for caching: Assume somone has a very secure website, Now, let's also assume there is a trivial XSS vulnerability at Here come's a way to attack this with a cache poisoning attack: An attacker can inject something that includes NB: Using SRI for caching is a neat idea and we're still looking at how to do so securely. Possibly via opt-in :/ Read more about that on the w3c SRI issue tracker. If you have feedback, please provide your comments on the mailing list and not in the github issue) |
Please consider preserving an option to "fuggadabout SRI and (just) facilitate caching". |
Will the "integrity" SRI attribute cause the browser to reject our permacached copy of a script when the "inject a comment denoting locally injected file" option is active? |
If you modify the file, it will have a different hash. Even if it's just a comment. So, yes, it will be bocked. |
Mozilla recently put in SRI support into Firefox. If a script tag has a SRI attached, and it matches the hash of a known, then it can be assumed there is no need to download the resource.
Edit: To be clear, this would allow the same library hosted anywhere to be caught. I don't know the current usage of SRI, but hopefully it grows.
The text was updated successfully, but these errors were encountered: