Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRI: Should the about: scheme be whitelisted? #319

Closed
fmarier opened this issue Apr 30, 2015 · 11 comments
Closed

SRI: Should the about: scheme be whitelisted? #319

fmarier opened this issue Apr 30, 2015 · 11 comments
Labels
SRI
Milestone
SRI-v1-LC

Comments

@fmarier
Copy link
Member

fmarier commented Apr 30, 2015

In #280, @mozfreddyb asks: "should we really mandate that the about: scheme has always good integrity? It may be current practice, but I don't think we should rely on about things being from-disk content until eternity."
@fmarier fmarier added the SRI label Apr 30, 2015
@fmarier fmarier added this to the SRI-v1-LC milestone Apr 30, 2015
@fmarier fmarier mentioned this issue Apr 30, 2015
Closed
9 tasks
@devd
Copy link
Contributor

devd commented May 1, 2015

I agree. we shouldn't mandate.

@mikewest
Copy link
Member

mikewest commented May 1, 2015

I added this originally to deal with <iframe>, which spawns about:blank before loading whatever exists in src. Since you've dropped <iframe>, you probably don't need to care about about:.

I'd suggest something like step 5/6 from https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-origin-trustworthy to future-proof this, allowing UAs to whitelist things like chrome-extension:// resources.

@devd
Copy link
Contributor

devd commented May 1, 2015

hmm .. I think that doesn't need to be whitelisted. If you specify a SRI value, then chrome-extension:// loads should also check hash. In the future, we might talk about this in the context of "require-for-all" directive where we might say "dont inherit the require directive for iframes in chrome-extension://" etc.

@annevk
Copy link
Member

annevk commented May 2, 2015

@mikewest does <iframe> or new top-level-borwsing context loading about:blank go through Fetch? Perhaps we should have a special code path for that...

@annevk
Copy link
Member

annevk commented May 2, 2015

(I think we can be fairly sure that the definition of about:blank won't change by the way, so maybe we should just not whitelist other values?)

@devd
Copy link
Contributor

devd commented May 17, 2015

hmm @annevk I didn't understand your last comment. can you clarify?

@fmarier
Copy link
Member Author

fmarier commented May 27, 2015

I think @annevk is suggesting that we whitelist about:blank only. Not the whole about: scheme.

@mozfreddyb
Copy link
Contributor

Ack, I think whitelisting about:blank only sounds good to me.

@devd
Copy link
Contributor

devd commented May 27, 2015

fine by me; although, to confirm my understanding, I would be curious: why would we need this in SRIv1? I can see value of this for iframes, which implicitly have an about:blank navigation.

@mozfreddyb
Copy link
Contributor

right… Let's just go with #390 then.

@devd
Copy link
Contributor

devd commented May 28, 2015 via email

devd added a commit that referenced this issue May 28, 2015
@devd
Merge pull request #390 from fmarier/sri-remove-about-whitelist
a282387 
SRI: stop whitelisting the `about` scheme (fix #319)
mikewest pushed a commit to mikewest/webappsec that referenced this issue Jun 29, 2015
@tabatkins
Make dfn-type definitions and headings turn original dashes into unde…
d8997b5 
…rscores, so you can have terms/headings that differ only by presence of a dash. Fixes w3c#319.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SRI
Projects
None yet
Milestone
SRI-v1-LC
Development

No branches or pull requests
5 participants
@mikewest @devd @fmarier @annevk @mozfreddyb