Skip to content

Commit e624489

Browse files
Fail closed on CORS failures
1 parent d3d1adc commit e624489

File tree

2 files changed

+10
-17
lines changed

2 files changed

+10
-17
lines changed

specs/subresourceintegrity/index.html

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -542,7 +542,7 @@ <h4 id="does-varresponsevar-match-varmetadatalistvar">Does <var>response</var> m
542542
<a href="#parse-metadata.x">parsing <var>metadataList</var></a>.</li>
543543
<li>If <var>parsedMetadata</var> is <code>no metadata</code>, return <code>true</code>.</li>
544544
<li>If <a href="#is-response-eligible-for-integrity-validation"><var>response</var> is not eligible for integrity
545-
validation</a>, return <code>true</code>.</li>
545+
validation</a>, return <code>false</code>.</li>
546546
<li>Let <var>metadata</var> be the result of <a href="#get-the-strongest-metadata-from-set.x">getting the strongest
547547
metadata from <var>parsedMetadata</var></a>.</li>
548548
<li>For each <var>item</var> in <var>metadata</var>:
@@ -580,12 +580,10 @@ <h4 id="does-varresponsevar-match-varmetadatalistvar">Does <var>response</var> m
580580
correctly, even if the HTTPS version of a resource differs from the HTTP
581581
version.</p>
582582

583-
<p class="note">This algorithm returns <code>true</code> if the response is not eligible for integrity
584-
validation, on the general principle that client errors (in this case, an
585-
attempt to validate the integrity of a response that is not accessible via
586-
same-origin or CORS) should fail open since they are not the result of an attack
587-
in the threat model of this specification. However, user agents SHOULD report
588-
a warning message about this failure in the developer console.</p>
583+
<p class="note">This algorithm returns <code>false</code> if the response is not eligible for integrity
584+
validation since Subresource Integrity requires CORS, and it is a logical error
585+
to attempt to use it without CORS. Additionally, user agents SHOULD report a
586+
warning message to the developer console to explain this failure.</p>
589587

590588
</section>
591589
<!-- Algorithms::Match -->
@@ -865,9 +863,6 @@ <h3 id="cross-origin-data-leakage">Cross-origin data leakage</h3>
865863
common usernames, and specify those hashes while repeatedly attempting
866864
to load the document.</p>
867865

868-
<p>User agents SHOULD mitigate the risk by refusing to fire <code>error</code> events
869-
on elements which loaded non-CORS cross-origin resources, but
870-
some side-channels will likely be difficult to avoid.</p>
871866
</section>
872867
<!-- /Security::cross-origin -->
873868

specs/subresourceintegrity/spec.markdown

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -412,7 +412,7 @@ the user agent.
412412
[parsing <var>metadataList</var>][parse].
413413
2. If <var>parsedMetadata</var> is `no metadata`, return `true`.
414414
3. If [<var>response</var> is not eligible for integrity
415-
validation][eligible], return `true`.
415+
validation][eligible], return `false`.
416416
4. Let <var>metadata</var> be the result of [getting the strongest
417417
metadata from <var>parsedMetadata</var>][get-the-strongest].
418418
5. For each <var>item</var> in <var>metadata</var>:
@@ -448,12 +448,10 @@ correctly, even if the HTTPS version of a resource differs from the HTTP
448448
version.
449449
{:.note}
450450

451-
This algorithm returns `true` if the response is not eligible for integrity
452-
validation, on the general principle that client errors (in this case, an
453-
attempt to validate the integrity of a response that is not accessible via
454-
same-origin or CORS) should fail open since they are not the result of an attack
455-
in the threat model of this specification. However, user agents SHOULD report
456-
a warning message about this failure in the developer console.
451+
This algorithm returns `false` if the response is not eligible for integrity
452+
validation since Subresource Integrity requires CORS, and it is a logical error
453+
to attempt to use it without CORS. Additionally, user agents SHOULD report a
454+
warning message to the developer console to explain this failure.
457455
{:.note}
458456

459457
[parse]: #parse-metadata.x

0 commit comments

Comments
 (0)