Skip to content

Commit 73e50e6

Browse files
author
Francois Marier
committed
Merge pull request #485 from fmarier/sri-issue418
SRI: clarify the CORS requirement in security considerations (fixes #418)
2 parents de73e7a + 5805bfe commit 73e50e6

File tree

1 file changed

+16
-9
lines changed

1 file changed

+16
-9
lines changed

specs/subresourceintegrity/spec.markdown

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -657,23 +657,30 @@ insecure.
657657
<section>
658658
### Cross-origin data leakage
659659

660-
Attackers can determine whether some cross-origin resource has certain
661-
content by attempting to load it with a known digest, and watching for
662-
load failures. If the load fails, the attacker can surmise that the
663-
response didn't match the hash, and thereby gain some insight into its
664-
contents. This might reveal, for example, whether or not a user is
660+
This specification requires the [CORS settings attribute][] to be present on
661+
integrity-protected cross-origin requests. If that requirement were omitted,
662+
attackers could violate the [same-origin policy][] and determine whether
663+
a cross-origin resource has certain content.
664+
665+
Attackers would attempt to load the resource with a known digest, and
666+
watch for load failures. If the load fails, the attacker could surmise
667+
that the response didn't match the hash and thereby gain some insight into
668+
its contents. This might reveal, for example, whether or not a user is
665669
logged into a particular service.
666670

667-
Moreover, attackers can brute-force specific values in an otherwise
668-
static resource: consider a JSON response that looks like this:
671+
Moreover, attackers could brute-force specific values in an otherwise
672+
static resource. Consider a JSON response that looks like this:
669673

670674
{'status': 'authenticated', 'username': 'admin'}
671675
{:.example}
672676

673-
An attacker can precompute hashes for the response with a variety of
677+
An attacker could precompute hashes for the response with a variety of
674678
common usernames, and specify those hashes while repeatedly attempting
675-
to load the document.
679+
to load the document. A successful load would confirm that the attacker
680+
has correctly guessed the username.
676681

682+
[CORS settings attribute]: http://www.w3.org/TR/html5/infrastructure.html#cors-settings-attributes
683+
[same-origin policy]: http://www.w3.org/Security/wiki/Same_Origin_Policy
677684
</section><!-- /Security::cross-origin -->
678685

679686
</section><!-- /Security -->

0 commit comments

Comments
 (0)