Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRI: support for multiple hashes with the same algorithm #367

Closed
devd opened this issue May 18, 2015 · 6 comments
Closed

SRI: support for multiple hashes with the same algorithm #367

devd opened this issue May 18, 2015 · 6 comments
Labels
SRI
Milestone
SRI-v1-LC

Comments

@devd
Copy link
Contributor

devd commented May 18, 2015

There does not appear a way to specify multiple hashes with the same algorithm. This may be useful in load-balancer situations where a phased rollout may mean some requests return different data from others.
@devd devd added this to the SRI-v1-LC milestone May 18, 2015
@fmarier fmarier changed the title There does not appear a way to specify multiple hashes with the same algorithm. This may be useful in load-balancer situations where a phased rollout may mean some requests return different data from others. SRI: support for multiple hashes with the same algorithm May 19, 2015
@fmarier
Copy link
Member

fmarier commented May 19, 2015

There is this:

  • 3.3.3 Parse metadata returns an array of hash values for the strongest supported hash, not just one.
  • 3.3.5 Does resource match metadataList? looks at each item in the metadata and proceeds with the load if one of them matches.

Do you feel we should clarify this further somewhere else?

@mozfreddyb
Copy link
Contributor

This is related to the feedback I got during my presentations of SRI.
You can supply two different hashes with the same function, which means compatibility for browser sniffing or a file that is likely to update in the future (e.g. v1.js and v2.js with both sha256).
Or you can supply to different hashes with a different function, which means the one that is considered more secure will be picked to allow better user agent support (v1.js with sha256 and sha512)

If you want to mix both, you have to supply 4 hashes (v1 sha256, v1 sha512, v2 sha256 and v2 sha512).

At least that's how I interpreted the standard. Anyhow, I guess we could phrase it differently in the spec.

@mozfreddyb mozfreddyb added the SRI label May 19, 2015
@fmarier
Copy link
Member

fmarier commented May 19, 2015

If you want to mix both, you have to supply 4 hashes (v1 sha256, v1 sha512, v2 sha256 and v2 sha512).

That's also how I interpreted the standard (and implemented it for that matter).

@devd
Copy link
Contributor Author

devd commented May 28, 2015

@metromoxie can you also confirm that you added support for an array of hashes? If so, we can close this out and ideally just fix it via a test case.

@joelweinberger
Copy link
Contributor

Yes, have have multiple hashes. See https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-allowed-multiple-hashes.html&sq=package:chromium for our LayoutTest that covers the two different kinds of cases we're talking about above.

@devd
Copy link
Contributor Author

devd commented May 29, 2015

since both readers of the spec understood it correctly and both have tests in place, I am closing this .

@devd devd closed this as completed May 29, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SRI
Projects
None yet
Milestone
SRI-v1-LC
Development

No branches or pull requests
4 participants
@devd @fmarier @joelweinberger @mozfreddyb