Amend preload integrity check to better match implementations

noamr · web-flow · commit ad09edc4eb90 · 2022-05-18T20:42:52.000-04:00
Fixes #7736.
diff --git a/source b/source
@@ -2642,6 +2642,13 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <ul class="brief">
      <li><dfn data-x-href="https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url"><i>a priori</i> authenticated URL</dfn></li>
     </ul>
+
+    <p>The following terms are defined in <cite>Subresource Integrity</cite>: <ref spec=SRI></p>
+
+    <ul class="brief">
+     <li><dfn data-x-href="https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata">parse integrity metadata</dfn></li>
+     <li><dfn data-x-href="https://w3c.github.io/webappsec-subresource-integrity/#get-the-strongest-metadata">get the strongest metadata from set</dfn></li>
+    </ul>
    </dd>
 
    <dt>Paint Timing</dt>
@@ -14646,7 +14653,10 @@ data-x="rel-preload">preload</span>; <span data-x="attr-link-as">as</span>=font<
       <var>document</var> to <var>uncommittedPreloads</var>:</p>
 
       <ol>
-       <li><p>Let <var>entry</var> be new <span>preload entry</span>.</p></li>
+       <li><p>Let <var>entry</var> be new <span>preload entry</span> whose
+       <span data-x="preload integrity metadata">integrity metadata</span> is
+       <var>earlyRequest</var>'s <span
+       data-x="concept-request-integrity-metadata">integrity metadata</span>.</p></li>
 
        <li>
         <p>Let <var>respond</var> be the following steps given <span
@@ -26200,7 +26210,6 @@ document.body.appendChild(wbr);</code></pre>
    <dd>A <span>URL</span>
 
    <dt><dfn data-x="preload destination">destination</dfn>
-   <dt><dfn data-x="preload integrity metadata">integrity metadata</dfn>
    <dd>A string
 
    <dt><dfn data-x="preload mode">mode</dfn>
@@ -26216,6 +26225,9 @@ document.body.appendChild(wbr);</code></pre>
   item">items</span>:</p>
 
   <dl>
+   <dt><dfn data-x="preload integrity metadata">integrity metadata</dfn>
+   <dd>A string
+
    <dt><dfn data-x="preload response">response</dfn>
    <dd>Null or a <span data-x="concept-response">response</span>
 
@@ -26232,8 +26244,7 @@ document.body.appendChild(wbr);</code></pre>
   <ol>
    <li><p>Let <var>key</var> be a <span>preload key</span> whose <span data-x="preload
    URL">URL</span> is <var>url</var>, <span data-x="preload destination">destination</span> is
-   <var>destination</var>, <span data-x="preload integrity metadata">integrity metadata</span> is
-   <var>integrityMetadata</var>, <span data-x="preload mode">mode</span> is <var>mode</var>, and
+   <var>destination</var>, <span data-x="preload mode">mode</span> is <var>mode</var>, and
    <span data-x="preload credentials mode">credentials mode</span> is
    <var>credentialsMode</var>.</p></li>
 
@@ -26246,6 +26257,47 @@ document.body.appendChild(wbr);</code></pre>
 
    <li><p>Let <var>entry</var> be <var>preloads</var>[<var>key</var>].</p></li>
 
+   <li><p>Let <var>consumerIntegrityMetadata</var> be the result of
+   <span data-x="parse integrity metadata">parsing</span> <var>integrityMetadata</var>.</p></li>
+
+   <li><p>Let <var>preloadIntegrityMetadata</var> be the result of
+   <span data-x="parse integrity metadata">parsing</span> <var>entry</var>'s
+   <span data-x="preload integrity metadata">integrity metadata</span>.</p></li>
+
+   <li>
+    <p>If none of the following condition apply:</p>
+
+    <ul>
+     <li><p><var>consumerIntegrityMetadata</var> is <code data-x="">no metadata</code>;</p></li>
+
+     <li>
+      <p><var>consumerIntegrityMetadata</var> is equal to <var>preloadIntegrityMetadata</var>;
+      or</p>
+
+      <p class="XXX">This comparison would ignore unknown integrity options. See <a
+      href="https://github.com/w3c/webappsec-subresource-integrity/issues/116">issue #116.</a></p>
+     </li>
+
+     <li><p>the user-agent has determined that <var>preloadIntegrityMetadata</var> is
+     <span data-x="get the strongest metadata from set">stronger</span> than
+     <var>consumerIntegrityMetadata</var> <ref spec=SRI></p></li>
+    </ul>
+
+    <p>then return false.</p>
+
+    <p class="note">A mistmatch in integrity metadata between the preload and the consumer, even if
+    both match the data, would lead to an additional fetch from the network.</p>
+
+    <p class="note">It is important that <span data-x="network error">network errors</span> are
+    added to the preload cache so that if a preload request results in an error, the erroneous
+    response isn't re-requested from the network later. This also has security implications;
+    consider the case where a developer specifies subresource integrity metadata on a preload
+    request, but not the following resource request. If the preload request fails subresource
+    integrity verification and is discarded, the resource request will fetch and consume a
+    potentially-malicious response from the network without verifying its integrity. <ref
+    spec=SRI></p>
+   </li>
+
    <li><p><span data-x="map remove">Remove</span> <var>preloads</var>[<var>key</var>].</p></li>
 
    <li><p>If <var>entry</var> <span data-x="preload response">response</span> is null, then set
@@ -26341,9 +26393,7 @@ document.body.appendChild(wbr);</code></pre>
   <var>request</var>, return a new <span>preload key</span> whose <span data-x="preload
   URL">URL</span> is <var>request</var>'s <span data-x="concept-request-url">URL</span>, <span
   data-x="preload destination">destination</span> is <var>request</var>'s <span
-  data-x="concept-request-destination">destination</span>, <span data-x="preload integrity
-  metadata">integrity metadata</span> is <var>request</var>'s <span
-  data-x="concept-request-integrity-metadata">integrity metadata</span>, <span data-x="preload
+  data-x="concept-request-destination">destination</span>, <span data-x="preload
   mode">mode</span> is <var>request</var>'s <span data-x="concept-request-mode">mode</span>, and
   <span data-x="preload credentials mode">credentials mode</span> is <var>request</var>'s <span
   data-x="concept-request-credentials-mode">credentials mode</span>.</p>
@@ -26386,7 +26436,9 @@ document.body.appendChild(wbr);</code></pre>
    <li><p>Let <var>preloadKey</var> be the result of <span data-x="create a preload key">creating a
    preload key</span> given <var>request</var>.</p></li>
 
-   <li><p>Let <var>preloadEntry</var> be a new <span>preload entry</span>.</p></li>
+   <li><p>Let <var>preloadEntry</var> be a new <span>preload entry</span> whose
+   <span data-x="preload integrity metadata">integrity metadata</span> is <var>request</var>'s <span
+   data-x="concept-request-integrity-metadata">integrity metadata</span>.</p></li>
 
    <li><p><span data-x="map set">Set</span> <var>el</var>'s <span>node document</span>'s <span>map
    of preloaded resources</span>[<var>preloadKey</var>] to <var>preloadEntry</var>.</p></li>
