Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 35 users
Status: Fixed
Owner:
Last visit 27 days ago
Closed: Jun 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----
Product-Review: ----

Blocked on:
issue 429747
issue 443382
issue 443554



Sign in to add a comment
Subresource Integrity
Project Member Reported by mkwst@chromium.org, Mar 24 2014 Back to list
Change description:
Subresource Integrity defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.

In a nutshell, metadata is added inline to various HTML elements which enables the browser to check the resource it downloaded matches the resource the page's author expected. Something like:

    <script src="https://code.jquery.com/jquery-1.10.2.min.js"
        integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=application/javascript">

Links:
Public standards discussion: http://w3c.github.io/webappsec/specs/subresourceintegrity/

Support in other browsers:
- None yet, just published as a FPWD.

No milestone yet: the goal is to gain implementation experience to help answer some of the open questions in the WG.
 
Comment 1 by mkwst@chromium.org, Mar 24 2014
Cc: rsleevi@chromium.org scarybea...@gmail.com
Cc: palmer@chromium.org
Project Member Comment 3 by bugdroid1@chromium.org, Mar 28 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=170313

------------------------------------------------------------------
r170313 | mkwst@chromium.org | 2014-03-28T11:40:23.357491Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/integrity-attribute.html?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLAnchorElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLAttributeNames.in?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLEmbedElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLMediaElement.idl?r1=170313&r2=170312&pathrev=170313
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/integrity-attribute-expected.txt?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLImageElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/RuntimeEnabledFeatures.in?r1=170313&r2=170312&pathrev=170313
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/dom/plugin-attributes-enumeration-expected.txt?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLLinkElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLSourceElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLIFrameElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLScriptElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLTrackElement.idl?r1=170313&r2=170312&pathrev=170313
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLObjectElement.idl?r1=170313&r2=170312&pathrev=170313

SRI: Add the 'integrity' attribute, and a SubresourceIntegrity runtime flag.

This patch adds a new flag to begin experimentation with the Subresource
Integrity specification[1], and begins adding the minimal amount of
functionality so we can test that the flag is working. That turns out to
be the 'integrity' attribute on various HTML elements that we'll use
later in order to do the actual verification.

Intent to Implement at [2].

[1]: http://w3c.github.io/webappsec/specs/subresourceintegrity/
[2]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/hTDUpMk_TV8/t_rjlkKfgGgJ

BUG= 355467 

Review URL: https://codereview.chromium.org/208423011
-----------------------------------------------------------------
Project Member Comment 4 by bugdroid1@chromium.org, Sep 23 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=182523

------------------------------------------------------------------
r182523 | jww@chromium.org | 2014-09-23T23:11:05.271557Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-allowed-expected.txt?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity.html?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.h?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked.html?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/fail.js?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity-expected.txt?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked-expected.txt?r1=182523&r2=182522&pathrev=182523
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptLoader.cpp?r1=182523&r2=182522&pathrev=182523
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/core.gypi?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-allowed.html?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/pass1of3.js?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/pass2of3.js?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrityTest.cpp?r1=182523&r2=182522&pathrev=182523
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/pass3of3.js?r1=182523&r2=182522&pathrev=182523
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/UseCounter.h?r1=182523&r2=182522&pathrev=182523

Implementation of subresource integrity attribute for secure origins.

This is an implementation of subresource integrity only for script tags
and secure origins. This uses the previously added integrity attribute
to calculate a digest for subresources and allow access to the resource
only if the digest matches the specified integrity value.

See http://www.w3.org/TR/SRI/ for the W3C standard proposal.

Intent to implement discussion:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/hTDUpMk_TV8

BUG= 355467 

Review URL: https://codereview.chromium.org/566083003
-----------------------------------------------------------------
Project Member Comment 5 by bugdroid1@chromium.org, Sep 30 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=183000

------------------------------------------------------------------
r183000 | jww@chromium.org | 2014-09-30T23:05:52.670915Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity-expected.txt?r1=183000&r2=182999&pathrev=183000
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked-expected.txt?r1=183000&r2=182999&pathrev=183000
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptLoader.cpp?r1=183000&r2=182999&pathrev=183000
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=183000&r2=182999&pathrev=183000

Basic console error messages for subresource integrity.

Subresource integrity is behind an experimental flag in blink (see
https://codereview.chromium.org/566083003). This CL adds in some useful
console error messages when things go wrong, such as non-matching
integrity values or an unparsable integrity attribute.

R=mkwst@chromium.org

BUG= 355467 

Review URL: https://codereview.chromium.org/596043003
-----------------------------------------------------------------
Project Member Comment 6 by bugdroid1@chromium.org, Oct 7 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=183365

------------------------------------------------------------------
r183365 | jww@chromium.org | 2014-10-07T23:13:20.325577Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/style-1-of-3.css?r1=183365&r2=183364&pathrev=183365
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/style-2-of-3.css?r1=183365&r2=183364&pathrev=183365
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/style-3-of-3.css?r1=183365&r2=183364&pathrev=183365
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-blocked-expected.txt?r1=183365&r2=183364&pathrev=183365
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-allowed-expected.txt?r1=183365&r2=183364&pathrev=183365
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-blocked.html?r1=183365&r2=183364&pathrev=183365
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLLinkElement.cpp?r1=183365&r2=183364&pathrev=183365
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-allowed.html?r1=183365&r2=183364&pathrev=183365

Implementation of subresource integrity attribute for style sheets.

This is an implementation of subresource integrity for style sheets set
on link elements. This CL adds a check to style sheet loads to make sure
that the digest of the style sheet content matches an integrity
attribute, if there is one. Similar to the script implementation, it is
only valid for secure origins to secure resources.

See http://www.w3.org/TR/SRI/ for the W3C standard proposal.

Intent to implement discussion:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/hTDUpMk_TV8

BUG= 355467 

Review URL: https://codereview.chromium.org/622783004
-----------------------------------------------------------------
Project Member Comment 7 by bugdroid1@chromium.org, Oct 8 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=183418

------------------------------------------------------------------
r183418 | mkwst@chromium.org | 2014-10-08T15:35:45.961058Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/RuntimeEnabledFeatures.in?r1=183418&r2=183417&pathrev=183418

SRI: Tie subresource integrity to the experimental flag.

See http://www.w3.org/TR/SRI/ for the W3C standard proposal.

Intent to implement discussion:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/hTDUpMk_TV8

BUG= 355467 

Review URL: https://codereview.chromium.org/636103002
-----------------------------------------------------------------
Project Member Comment 8 by bugdroid1@chromium.org, Oct 16 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=183788

------------------------------------------------------------------
r183788 | mkwst@chromium.org | 2014-10-16T07:14:40.859779Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity-expected.txt?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrityTest.cpp?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-blocked.html?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity.html?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.h?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked.html?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/ParsingUtilities.h?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-allowed.html?r1=183788&r2=183787&pathrev=183788
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-allowed.html?r1=183788&r2=183787&pathrev=183788

Subresource Integrity: Improve parsing.

This CL more or less rewrites the parser with the goal of improving our
adherence to the spec. We now have reasonable error messages for parse
failures, and have tests for the individual components of the parser
(algorithms and digests). We also now correctly require 'ni:///' as the
URL prefix (we were previously ignoring the last '/').

BUG= 355467 

Review URL: https://codereview.chromium.org/656063002
-----------------------------------------------------------------
Project Member Comment 9 by bugdroid1@chromium.org, Oct 16 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=183797

------------------------------------------------------------------
r183797 | sigbjornf@opera.com | 2014-10-16T09:34:41.188285Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrityTest.cpp?r1=183797&r2=183796&pathrev=183797

Oilpan: fix build after r183788.

TBR=oilpan-reviews,haraken
BUG= 355467 
NOTRY=true

Review URL: https://codereview.chromium.org/660723003
-----------------------------------------------------------------
Two issues I noticed in Canary 40.0.2208.0:

1) The spec says "sha-256" but chrome wants "sha256" for the algorithm.
2) The spec uses url safe base64 encoding but chrome does not support this yet.

So instead of using the script example in the description of this issue you currently have to use something like this:

<script src="https://code.jquery.com/jquery-1.10.2.min.js"
        integrity="ni:///sha256;C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=?ct=application/javascript">

Let me know if I should file a separate issue for this.

Comment 11 by jww@chromium.org, Nov 3 2014
So the standard is actually inconsistent about this, and we need to fix it.
I believe sha256 is the consensus way we're going, though.

Yup, that's a known issue, but if you wouldn't mind filing a bug for it
(and CC'ing me), that would be awesome!
@joel - I created an issue here: https://code.google.com/p/chromium/issues/detail?id=429747 (didn't allow me to cc anyone, I might need special permission for that ?)
Comment 13 by jww@chromium.org, Nov 3 2014
Thanks!
Comment 14 by mkwst@chromium.org, Dec 18 2014
Blockedon: chromium:429747
Comment 15 by mkwst@chromium.org, Dec 18 2014
Blockedon: chromium:443554
Comment 16 by mkwst@chromium.org, Dec 18 2014
Blockedon: chromium:443382
Comment 18 by jww@chromium.org, Apr 18 2015
Cc: -jww@chromium.org mkwst@chromium.org
Owner: jww@chromium.org
Comment 19 by jww@chromium.org, Apr 18 2015
Status: Started
Project Member Comment 20 by bugdroid1@chromium.org, May 12 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=195212

------------------------------------------------------------------
r195212 | jww@chromium.org | 2015-05-12T00:24:45.148423Z

Changed paths:
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-allowed-mimetypes.html?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-cors-bad-integrity-expected.txt?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.h?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLLinkElement.cpp?r1=195212&r2=195211&pathrev=195212
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-options-expected.txt?r1=195212&r2=195211&pathrev=195212
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked-mimetypes-expected.txt?r1=195212&r2=195211&pathrev=195212
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-options.html?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-blocked-expected.txt?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked-expected.txt?r1=195212&r2=195211&pathrev=195212
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-blocked-mimetypes.html?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptLoader.cpp?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrityTest.cpp?r1=195212&r2=195211&pathrev=195212
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/UseCounter.h?r1=195212&r2=195211&pathrev=195212

Ignore unknown options to subresource integrity

The spec states that unknown options must be ignored by the user agent
so that new options may be added in the future. This adds support for
that along with appropriate tests.

BUG= 355467 

Review URL: https://codereview.chromium.org/1126343003
-----------------------------------------------------------------
Project Member Comment 21 by bugdroid1@chromium.org, Jun 2 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=196272

------------------------------------------------------------------
r196272 | jww@chromium.org | 2015-06-02T01:51:19.432018Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLIFrameElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/webexposed/element-instance-property-listing-expected.txt?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLTrackElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/webexposed/global-interface-listing-expected.txt?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLObjectElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/integrity-attribute.html?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLAnchorElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLEmbedElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/dom/plugin-attributes-enumeration-expected.txt?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLMediaElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLSourceElement.idl?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/integrity-attribute-expected.txt?r1=196272&r2=196271&pathrev=196272
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLImageElement.idl?r1=196272&r2=196271&pathrev=196272

Remove integrity attribute from elements not in SRI spec

Initially, it was anticipated that Subresource Integrity would cover
many more elements than the current version of the spec covers. While
many elements may be added in a future version of the spec, this CL
removes them since they are unspec'd and unimplemented.

BUG= 355467 

Review URL: https://codereview.chromium.org/1151773007
-----------------------------------------------------------------
Project Member Comment 23 by bugdroid1@chromium.org, Jun 8 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=196703

------------------------------------------------------------------
r196703 | jww@chromium.org | 2015-06-08T23:05:00.190193Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-hash-function-priority-console-messages.html?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-no-cors-no-xorigin-with-creds-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-cors-no-xorigin.html?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-no-cors-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrityTest.cpp?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-cors-no-xorigin.html?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-hash-function-priority-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity.html?r1=196703&r2=196702&pathrev=196703
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-hash-function-priority-console-messages-expected.txt?r1=196703&r2=196702&pathrev=196703
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-cors-no-xorigin-console-messages.html?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors-no-xorigin.html?r1=196703&r2=196702&pathrev=196703
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity-console-messages.html?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-cors-no-xorigin-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-no-cors-no-xorigin.html?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors-no-xorigin-with-creds.html?r1=196703&r2=196702&pathrev=196703
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-cors-no-xorigin-console-messages-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-unknown-hash-allowed-expected.txt?r1=196703&r2=196702&pathrev=196703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-no-cors-no-xorigin-with-creds.html?r1=196703&r2=196702&pathrev=196703
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-invalid-integrity-console-messages-expected.txt?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-cors-bad-integrity-expected.txt?r1=196703&r2=196702&pathrev=196703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-script-no-cors-no-xorigin-expected.txt?r1=196703&r2=196702&pathrev=196703

SRI fail open on ineligible resources.

Previously, SRI failed closed if a resource was ineligible (i.e. if it's
a cross-origin request and was not a CORS request). However, for
forwards compatibility, the spec now states that ineligible resources
should fail open, with a developer console warning
(https://github.com/w3c/webappsec/pull/394).

This is okay from a security perspective because if the reverse case
happens (a CORS request is made, but the server responds without or with
unusable CORS headers), SRI still fails closed because Fetch() will not
let it reach the integrity check. This is important because an attacker
could modify or drop the CORS headers on the server if they have
control, which is the attack vector SRI is protecting against.

BUG= 355467 
R=mkwst@chromium.org

Review URL: https://codereview.chromium.org/1166003004
-----------------------------------------------------------------
Project Member Comment 24 by bugdroid1@chromium.org, Jun 16 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=197184

------------------------------------------------------------------
r197184 | jww@chromium.org | 2015-06-16T17:56:27.988307Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=197184&r2=197183&pathrev=197184
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/UseCounter.h?r1=197184&r2=197183&pathrev=197184

Add use counter for ineligible Subresource Integrtiy use

This adds a counter to track how often an integrity attribute is used on
a valid HTML tag, but for a resource load that is ineligible. Ineligible
resources are those that are cross origin, but done without CORS. These
loads are allowed, but not SRI check is done, and a console message is
logged.

R=mkwst@chromium.org
BUG= 355467 

Review URL: https://codereview.chromium.org/1184183003
-----------------------------------------------------------------
Project Member Comment 25 by bugdroid1@chromium.org, Jun 19 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=197494

------------------------------------------------------------------
r197494 | jww@chromium.org | 2015-06-19T19:01:27.919040Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/virtual/stable/webexposed/global-interface-listing-expected.txt?r1=197494&r2=197493&pathrev=197494
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLLinkElement.idl?r1=197494&r2=197493&pathrev=197494
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SubresourceIntegrity.cpp?r1=197494&r2=197493&pathrev=197494
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/virtual/stable/webexposed/element-instance-property-listing-expected.txt?r1=197494&r2=197493&pathrev=197494
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLScriptElement.idl?r1=197494&r2=197493&pathrev=197494
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/RuntimeEnabledFeatures.in?r1=197494&r2=197493&pathrev=197494

Ship Subresource Integrity

Removes the runtime flag for subresource integrity so it is enabled by
default. Enables the 'integrity' attribute for HTMLLinkElement and
HTMLScriptElement where a hash can be specified for the expected
content. If hash values do not match, fetch will be blocked.

Intent to Ship (and approvals):
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/G3HY0qqTvw8

Spec: https://w3c.github.io/webappsec/specs/subresourceintegrity/

R=mkwst@chromium.org
BUG= 355467 

Review URL: https://codereview.chromium.org/1186883003
-----------------------------------------------------------------
Comment 26 by jww@chromium.org, Jun 19 2015
Status: Fixed
This has shipped, so marking as fixed.
Comment 27 by jww@chromium.org, Jul 10 2015
As a point of clarification, we have shipped SRI as per the spec only for <script> and <link rel="stylesheet"> elements. Please see https://w3c.github.io/webappsec/specs/subresourceintegrity/ for the full details of what we've implemented.
Sign in to add a comment