-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SRI: explain CORS requirement clearly #418
Comments
cc @devd @fmarier @mozfreddyb, and maybe of interest to @annevk and @mikewest |
This came about from a discussion raised on trying to get Ember to default SRI to be enabled by default which is risky if it is deployed over multiple origins. The only safe thing I can get my addon to do is to only add integrities to relative URLs unless the user explicitly sets a crossorigin. (As mentioned in previous bugs this will harm implementations although a solution isn't clear either). The only next best thing is to explain clearly to developers and library writers why CORS is required for assets on their servers. |
I'm not sure this needs additional clarification. It's no different from cross-origin scripts not throwing useful exceptions unless CORS is used. |
But also, SRI is more generic than just scripts. |
@annevk I would argue it could be overlooked by a new programmer being forced to implement SRI. Clearly explaining why things are harder than they might expect should lower the barrier to them giving up etc. Is there was a more generic place like the CORS spec itself this one could cite that might be better for future specs also? |
Hmm, https://fetch.spec.whatwg.org/#http-cors-protocol just has a basic explanation of what it protects. If anything |
IMHO, we should re-phrase section 5.3 under Security Considerations to cover what Jonathan is asking for. I've had to explain it to a few people already, so I don't think it will be non-obvious to a lot of readers of this spec. Additionally, the last sentence of that section no longer makes sense:
We don't allow non-CORS cross-origin loads with SRI. |
filed #422 for removing the note. The broader issue about CORS and why we need it: I think it is best fixed by browser warnings and blogging etc. Do developers read specs as much as stack overflow, html5rocks.com etc? |
Certainly some developers do read standards which use what they learn to trickle down to the wider community. I would actually suggest formalising all the gotchas from:
These may be obvious to people who have worked in the industry a long time or have a vested interest in specs however as the whole internet security pins from it I think it would be useful to have a published note that was a centralised resource. That way other specs could also reference different rationale in the note rather than rewriting it each time. |
So as I discussed with @wseltzer it would be useful to have a from the security interest group a SOP note on how SOP works in the wild as a definitive source. However this doesn't solve this clarity issue here as it shouldn't hold up rec on SRI. As crossorigin isn't specified anywhere a small note may be useful. |
What do you mean isn't specified? |
@annevk we are not linking to: https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attributes and also explaining clearly the integrity checking exploit why CORS is required for non SOP requests. |
With #422, we should add a sentence to (at least) the security considerations, that explain why we do CORS (i.e. very briefly re-iterate the danger of leaks). We should also link to the cors attributes, I'm sure. |
hmm .. so I am confused. What do we want to do finally (in addition to #422)? I think regardless of what we do, this is gonna be a problem until there are articles and developer resources outside of the spec. |
I took a stab at this in #485. |
SRI: clarify the CORS requirement in security considerations (fixes #418)
This thread is brilliant! I was trying to wrap my head around why the relationship between SRI and CORS and without this thread I would have been left scratching my head! |
The CORS requirement in the specification I feel isn't clear enough for developers to understand why CORS was made as a requirement.
This comment clearly explains the reason it was added:
#338 (comment)
A clear example of an attacker being able to bypass firewall security by:
Clearly explaining that:
This attack bypasses the current security of the attacker only able to execute the code instead of being able to know all of its contents.
The text was updated successfully, but these errors were encountered: