-
Notifications
You must be signed in to change notification settings - Fork 36
Remove "type:*" from integrity
, add type
attribute.
#44
Comments
If you think that's the approach we should use, it should be fixed in the spec, not here :) Another way to look at it is that if the server starts returning a different content-type, then it's returning a different resource. SRI is about ensuring that the server always returns the same exact resource (otherwise it gets blocked). So the failure to load is a feature, not a bug. Also, I'm not sure how good browsers are at enforcing the |
You are correct regarding the purpose/nature of SRI/"type". I don't necessarily think the "type" directive should be removed from the spec; just from this tool. To paraphrase what you said regarding 2079187 (specifically, the exclusion of SHA-512), srihash.org is built around the idea of making SRI easy-to-use. In this case, I would interpret "easy to use" as being plug-and-play for any CDN (regardless of which Javascript Enforcement of the |
These all load :( (Chrome/FF, Linux). Haven't tried <img src="http://upload.wikimedia.org/wikipedia/meta/0/08/Wikipedia-logo-v2_1x.png">
<img src="http://upload.wikimedia.org/wikipedia/meta/0/08/Wikipedia-logo-v2_1x.png" type="image/png">
<img src="http://upload.wikimedia.org/wikipedia/meta/0/08/Wikipedia-logo-v2_1x.png" type="image/jpg">
<img src="http://upload.wikimedia.org/wikipedia/meta/0/08/Wikipedia-logo-v2_1x.png" type="image/svg">
<img src="http://upload.wikimedia.org/wikipedia/meta/0/08/Wikipedia-logo-v2_1x.png" type="text/plain"> Maybe |
Interesting results :) Yeah, it would be nice is these were enforced more generally.
I think we should go for both security and ease-of-use. Giving people the choice to go for In the case of the content type, I think it's different. First of all, we're giving not an extra option to users, it's still a one-click process. Secondly, the spec insists that developers should specificy the content-type in order to prevent MIME type confusion attacks. As per that note, Firefox issues a warning in the devtools when it's missing. Finally, we're going to need the content type if version 2 of SRI adds the caching improvements that got removed in V1, so it's good to get it in there early. You make good points about the possibility for breakage if CDNs end up changing their content-type. I suspect (maybe wrongly) that it's unlikely they will and that if they did, it may lead to other breakage. The good thing is that if it stops working (because of content-type mismatch) and a developer comes back to |
Fair enough. Tangentially related, I see that the big list of JS content-types I found before is actually a "must include" in the HTML5 spec. Should I add them to |
I suppose we should, yes. Also, I noticed this in the spec (note the link to the canonical HTML5 spec, not the W3C fork ;-) ):
Perhaps we should return an error (instead of a warning) when we see these. It would be worth creating a separate issue for this since it no longer has anything to do with this bug :) |
I propose that we no longer provide a "type" directive in the SRI
integrity
attribute, and instead provide a HTMLtype
attribute:RE w3c/webappsec/#176, the optional "type" directive in SRI is intended to prevent the server from having any say in how a script is parsed (GIFAR-style confusion-of-context attacks). It does this by enforcing a failure state, should an unexpected unexpected content-type be served -- even if the hash is valid. In practice, this rule would break the sub-resource whenever a content-type header changes.
Enforcing a parsing rule (via the
type
attribute), instead of failing outright (per thecontent-type
header), would:content-type
confusion-of-context attackscontent-type
content-type
directives (such as "charset")content-type
header)I also propose that use of the
type
attribute, and disuse of the "type" SRI directive, should be advised as a best-practice.The text was updated successfully, but these errors were encountered: