Skip to content

Commit 5805bfe

Browse files
author
Francois Marier
committed
SRI: clarify the CORS requirement in security considerations (fixes #418)
1 parent 23d39ab commit 5805bfe

File tree

1 file changed

+16
-9
lines changed

1 file changed

+16
-9
lines changed

specs/subresourceintegrity/spec.markdown

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -715,23 +715,30 @@ insecure.
715715
<section>
716716
### Cross-origin data leakage
717717

718-
Attackers can determine whether some cross-origin resource has certain
719-
content by attempting to load it with a known digest, and watching for
720-
load failures. If the load fails, the attacker can surmise that the
721-
response didn't match the hash, and thereby gain some insight into its
722-
contents. This might reveal, for example, whether or not a user is
718+
This specification requires the [CORS settings attribute][] to be present on
719+
integrity-protected cross-origin requests. If that requirement were omitted,
720+
attackers could violate the [same-origin policy][] and determine whether
721+
a cross-origin resource has certain content.
722+
723+
Attackers would attempt to load the resource with a known digest, and
724+
watch for load failures. If the load fails, the attacker could surmise
725+
that the response didn't match the hash and thereby gain some insight into
726+
its contents. This might reveal, for example, whether or not a user is
723727
logged into a particular service.
724728

725-
Moreover, attackers can brute-force specific values in an otherwise
726-
static resource: consider a JSON response that looks like this:
729+
Moreover, attackers could brute-force specific values in an otherwise
730+
static resource. Consider a JSON response that looks like this:
727731

728732
{'status': 'authenticated', 'username': 'admin'}
729733
{:.example}
730734

731-
An attacker can precompute hashes for the response with a variety of
735+
An attacker could precompute hashes for the response with a variety of
732736
common usernames, and specify those hashes while repeatedly attempting
733-
to load the document.
737+
to load the document. A successful load would confirm that the attacker
738+
has correctly guessed the username.
734739

740+
[CORS settings attribute]: http://www.w3.org/TR/html5/infrastructure.html#cors-settings-attributes
741+
[same-origin policy]: http://www.w3.org/Security/wiki/Same_Origin_Policy
735742
</section><!-- /Security::cross-origin -->
736743

737744
</section><!-- /Security -->

0 commit comments

Comments
 (0)