Closed
Bug 1208875
Opened 9 years ago
Closed 9 years ago
Subresource Integrity fails on Blob?
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1208629
People
(Reporter: freddy, Unassigned)
Details
Attachments
(1 file)
(deleted),
application/javascript
|
Details |
As reported in <https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/comment-page-1/#comment-18803>, SRI does not seem to work with a blog URI.
I have reproduced this error with the attached JS file, as run in a scratchpad on e.g., example.com
The JS executes fine when I comment the line out, which adds the integrity attribute.
Reporter | ||
Comment 1•9 years ago
|
||
The comment author's blog post discusses caching scripts in localStorage and reloading them using blobs or data URIs with integrity. SRI is used to prevent XSS attacks from becoming persistent.
I could read and understand the post quite well using Google Translate.
The summary is that Data URI don't work, because Chrome treats them cross-origin. Blobs work in Chrome but fail to load in Firefox. See the table at <https://imququ.com/post/enhance-security-for-ls-code.html> for more.
Comment 2•9 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #1)
> The comment author's blog post discusses caching scripts in localStorage and
> reloading them using blobs or data URIs with integrity. SRI is used to
> prevent XSS attacks from becoming persistent.
>
> I could read and understand the post quite well using Google Translate.
> The summary is that Data URI don't work, because Chrome treats them
> cross-origin. Blobs work in Chrome but fail to load in Firefox. See the
> table at <https://imququ.com/post/enhance-security-for-ls-code.html> for
> more.
I am the author of this post. And I had sent a mail to public-webappsec@w3.org asking this question:
> While testing the Chrome and Firefox's implementation of SRI, I found something interesting.
>
> 1) Test SRI with data URIs:
>
> <script crossorigin="anonymous" integrity="sha256-0URT8NZXh/hI7oaypQXNjC07bwnLB52GAjvNiCaN7Gc=" src="data:application/x-javascript,alert(%22hello%20world!%22);"></script>
>
> 2) Test SRI with Blob URL:
>
> <script>
> var blob = new Blob(['alert("hello world!");'], {type: "application/x-javascript"});
> var blobUrl = URL.createObjectURL(blob);
> document.write('<script crossorigin="anonymous" integrity="sha256-0URT8NZXh/hI7oaypQXNjC07bwnLB52GAjvNiCaN7Gc=" src="'+ blobUrl +'"></sc' + 'ript>');
> </script>
>
> In Chrome : Version 46.0.2490.33 beta (64-bit)
>
> 1) data URIs : Throw an exception.
> Subresource Integrity: The resource 'data:application/x-javascript,alert(%22hello%20world!%22);' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has not been blocked, but no integrity check occurred.
>
> 2) Blob URL : Everything is OK.
> The script will be executed with correct hash, won't be executed with incorrect hash.
>
> In Firefox : 44.0a1 (2015-09-23)
>
> 1) data URIs, 2) Blob URL : The script won't be executed, both with correct hash and with incorrect hash.
>
> May the SRI spec give some specific recommendations for this?
And this is a reply from Anne van Kesteren:
> Only the blob URL should work per Fetch, to which SRI defers. (That is
> because data URLs for <script> get tainted and SRI cannot poke into
> tainted responses.)
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•