-
Notifications
You must be signed in to change notification settings - Fork 35
"Content-type" header is passed directly into result #38
Comments
Can you include options (i.e. encoding) in the "type" definition of the current spec? |
I guess we need to:
|
I would force string termination after anything that looked like a delimiter to the browser SRI interpreter (your regex...). |
Yeah, at the very least, we should have a blacklist to detect spaces and closing quotes, but whitelist-based approaches (only look at what you expect) are generally better. |
Just a note, I plan to audit every I/O in the XHR handler, to ensure that dodgy values can't be injected elsewhere. |
Regarding the spec, is there a reason "type:" is included at all? Now that it's not a per-hash ni-URI parameter, I don't see any actual use for it that can't already be handled by the HTML |
I'm not an expert on the HTML |
I can't find the issue (was originally pre-CSP2-style-change IIRC), but I remember reading somewhere that the reason for content-type matching was to prevent something like an Wouldn't this do the same thing, whilst simplifying the spec, and removing any ambiguity? My concern is that ni-URIs provided a hammer to solve a problem that could now be fixed with a spanner. I know this is the wrong place to ask, but w3c/webappsec is imposing, and I'm unsure of the etiquette :) |
Nevermind, I'm blind! I'll explain a little further in a new srihash.org issue. |
We need to parse the content-type header before generating the SRI attribute.
This is a security issue; both XSS and the ability to spoof hashes.
I'm mad at myself for not noticing this earlier.
The text was updated successfully, but these errors were encountered: