Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash method mismatch in comsuming preloads can allow response not matching consumer's integrity #7973

Closed
hiroshige-g opened this issue Jun 1, 2022 · 2 comments · Fixed by #7974
Closed

Hash method mismatch in comsuming preloads can allow response not matching consumer's integrity #7973

hiroshige-g opened this issue Jun 1, 2022 · 2 comments · Fixed by #7974

Comments

@hiroshige-g
Copy link
Contributor

#7738 allows consuming preloads if

the user-agent has determined that preloadIntegrityMetadata is stronger than consumerIntegrityMetadata

but this can cause a response that doesn't match with consumerIntegrityMetadata to pass SRI check, if it does match with preloadIntegrityMetadata.
For example,

<link rel="preload" as="script" href="foo.js" integrity="sha512-aaaaa">
<script src="foo.js" integrity="sha256-bbbbb"></script>

where received foo.js's SHA512 hash is aaaaa and SHA256 hash is ccccc, not bbbbb.
This can problematic when bbbbb is the correct hash and the received foo.js and the <link rel=preload>'s hash aaaaa are wrong.

Maybe the "stronger than" condition should be removed?
@hiroshige-g hiroshige-g mentioned this issue Jun 1, 2022
Merged
3 tasks
@hiroshige-g
Copy link
Contributor Author

@noamr @domenic @annevk

This is implemented only in Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=1762520).

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Jun 1, 2022
@hiroshige-g @chromium-wpt-export-bot
[WPT] Do not allow hash method mismatch in comsuming preloads
d105c55 
Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
Merged
@noamr
Copy link
Contributor

noamr commented Jun 1, 2022

I am OK with removing this (if Firefox are not opposed)

domenic pushed a commit that referenced this issue Jun 3, 2022
@hiroshige-g
Do not allow integrity hashing mismatch in consuming preloads
afcf6e5 
Fixes #7973.
mfreed7 pushed a commit to mfreed7/html that referenced this issue Jun 3, 2022
@hiroshige-g @mfreed7
Do not allow integrity hashing mismatch in consuming preloads
4c83c55 
Fixes whatwg#7973.
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Jun 6, 2022
@hiroshige-g @chromium-wpt-export-bot
[WPT] Do not allow hash method mismatch in consuming preloads
bb686db 
Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
aarongable pushed a commit to chromium/chromium that referenced this issue Jun 6, 2022
@hiroshige-g
[WPT] Do not allow hash method mismatch in consuming preloads
cebfd2b 
Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3681845
Reviewed-by: Domenic Denicola <[email protected]>
Commit-Queue: Hiroshige Hayashizaki <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1011137}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Jun 6, 2022
@hiroshige-g @chromium-wpt-export-bot
[WPT] Do not allow hash method mismatch in consuming preloads
b2e2d8a 
Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3681845
Reviewed-by: Domenic Denicola <[email protected]>
Commit-Queue: Hiroshige Hayashizaki <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1011137}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Jun 6, 2022
@hiroshige-g @chromium-wpt-export-bot
[WPT] Do not allow hash method mismatch in consuming preloads
30c171e 
Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3681845
Reviewed-by: Domenic Denicola <[email protected]>
Commit-Queue: Hiroshige Hayashizaki <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1011137}
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Jun 10, 2022
@hiroshige-g @moz-wptsync-bot
Bug 1772047 [wpt PR 34272] - [WPT] Do not allow hash method mismatch …
b0ddf77 
…in consuming preloads, a=testonly

Automatic update from web-platform-tests
[WPT] Do not allow hash method mismatch in consuming preloads

Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3681845
Reviewed-by: Domenic Denicola <[email protected]>
Commit-Queue: Hiroshige Hayashizaki <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1011137}

--

wpt-commits: 30c171e417878a0bea178dd912770d6fd7348ebc
wpt-pr: 34272
mjfroman pushed a commit to mjfroman/moz-libwebrtc-third-party that referenced this issue Oct 14, 2022
@hiroshige-g @copybara-github
[WPT] Do not allow hash method mismatch in consuming preloads
75fd08e 
Bug: whatwg/html#7973
Change-Id: I1bbe327080a83bcd74f46f64668cf73490ef6d7c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3681845
Reviewed-by: Domenic Denicola <[email protected]>
Commit-Queue: Hiroshige Hayashizaki <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1011137}
NOKEYCHECK=True
GitOrigin-RevId: cebfd2b4ce9c3d7c230a09011f9b4f254bc55bea
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not allow hash method mismatch in comsuming preloads hiroshige-g/html
2 participants
@noamr @hiroshige-g