Issue metadata
Sign in to add a comment
|
stylesheets with integrity attribute downloaded twice
Reported by
scul...@looker.com,
Mar 15 2017
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 Example URL: https://googlechrome.github.io/samples/subresource-integrity/ Steps to reproduce the problem: 1. Create a webpage with remote stylesheets, use a link tags with an integrity hash (correct or not) 2. Load said page 3. Observe in either the network panel or on the webserver serving the stylesheet that it is requested twice. What is the expected behavior? Stylesheets with integrity attribute should only be downloaded once. What went wrong? Both example stylesheets with integrity attribute, one correct and incorrect, are downloaded twice over the network. Did this work before? N/A Chrome version: 57.0.2987.98 Channel: stable OS Version: OS X 10.12.3 Flash Version:
,
Mar 16 2017
,
Mar 16 2017
,
Jul 7 2017
I suspect this and https://bugs.chromium.org/p/chromium/issues/detail?id=677022 are not the same issue. Looking at the preloadScanner code, it seems like it doesn't support to integrity attribute for stylesheets (only for scripts), and that is probably the reason why this case is failing. That's inherently different from the <link preload> case, where we're not sure if we should or shouldn't force developers to add `integrity` multiple times...
,
Jul 7 2017
Yeah I think Yoav is right, but in fact we should support SRI for preloaded scripts, just not preloaded CSS. This was due to the fact that script cached its integrity while stylesheet did not. I think this might be a one-liner fix in the preload scanner, let me double check.
,
Jul 7 2017
,
Jul 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fbfb2c5150d58688ead6a95a2a168bfe22984490 commit fbfb2c5150d58688ead6a95a2a168bfe22984490 Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Wed Jul 26 03:35:25 2017 Add MockWebCrypto and CryptoTestingPlatformSupport For moving SubresourceIntegrityTest from core to platform in https://chromium-review.googlesource.com/c/576968/, because WebCryptoImpl is not available in blink_platform_unittests. Bug: 746115 , 701943 Change-Id: I85183cbf94cacaf889b7b819af13d8c9c38a5a82 Reviewed-on: https://chromium-review.googlesource.com/582334 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#489542} [modify] https://crrev.com/fbfb2c5150d58688ead6a95a2a168bfe22984490/third_party/WebKit/Source/platform/BUILD.gn [modify] https://crrev.com/fbfb2c5150d58688ead6a95a2a168bfe22984490/third_party/WebKit/Source/platform/loader/BUILD.gn [add] https://crrev.com/fbfb2c5150d58688ead6a95a2a168bfe22984490/third_party/WebKit/Source/platform/loader/testing/CryptoTestingPlatformSupport.h [add] https://crrev.com/fbfb2c5150d58688ead6a95a2a168bfe22984490/third_party/WebKit/Source/platform/testing/MockWebCrypto.cpp [add] https://crrev.com/fbfb2c5150d58688ead6a95a2a168bfe22984490/third_party/WebKit/Source/platform/testing/MockWebCrypto.h
,
Jul 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262 commit d001e0d5d89d2ecdee30c3fe951f5088fc4f3262 Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Thu Jul 27 03:48:06 2017 Move SubresourceIntegrity to platform/loader This CL - Introduces SubresourceIntegrity::ReportInfo that represents the things that don't affect the check results themselves but require ExecutionContext, i.e. console error messages and UseCounter counts, - Factors out dependencies to Document/ExecutionContext from SubresourceIntegrity.h/cpp by making ReportInfo filled in SubresourceIntegrity and processed by the callers of SubresourceIntegrity that have ExecutionContext, and thereby - Moves SubresourceIntegrity to platform/loader. This is preparation to move SubresourceIntegrity calls to Resource in https://chromium-review.googlesource.com/c/576950/. Bug: 746115 , 701943 Change-Id: I3c1a4650291d01ab7162c72c6e682c31de45cbb6 Reviewed-on: https://chromium-review.googlesource.com/576968 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#489851} [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/BUILD.gn [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/dom/ClassicPendingScript.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/dom/ScriptLoader.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/frame/BUILD.gn [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/html/LinkStyle.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/loader/BUILD.gn [add] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/loader/SubresourceIntegrityHelper.cpp [add] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/loader/SubresourceIntegrityHelper.h [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/core/loader/resource/ScriptResource.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/modules/fetch/FetchManager.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/platform/loader/BUILD.gn [rename] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/platform/loader/SubresourceIntegrity.cpp [rename] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/platform/loader/SubresourceIntegrity.h [rename] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/platform/loader/SubresourceIntegrityTest.cpp [modify] https://crrev.com/d001e0d5d89d2ecdee30c3fe951f5088fc4f3262/third_party/WebKit/Source/platform/testing/TestingPlatformSupport.h
,
Jul 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/55ebf5a43475f5addddf3fb9cd909b6ea70c9e5c commit 55ebf5a43475f5addddf3fb9cd909b6ea70c9e5c Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Fri Jul 28 05:06:50 2017 Use Resource's IntegrityMetadata() for LinkStyle SRI check SubresourceIntegrity check result is cached in Resource::IntegrityDisposition(), and thus reused for requests with the same integrity metadata at the time of requests. However, SubresourceIntegrity check is currently done against the integrity attribute value at the time of stylesheet load completion, which can be different from Resource::IntegrityDisposition(), causing inconsistent check results to be cached and SRI checks to be bypassed. This CL fixes this by checking SubresourceIntegrity against Resource::IntegrityDisposition(). Behavior change: SRI for <link rel=stylesheet> is checked against the integrity attribute at the time of load start, not at the time of load completion (subresource-integrity-style-attribute-changed.html). This is consistent with <script>'s SRI checks, and this CL prepares for merging <script> and <link rel=stylesheet> SRI checks into a single implementation in Resource in https://chromium-review.googlesource.com/c/576950/. Bug: 749281, 746115 , 701943 Change-Id: I521e49966ee8881ca7915da997c3b89238e5b700 Reviewed-on: https://chromium-review.googlesource.com/587227 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#490274} [add] https://crrev.com/55ebf5a43475f5addddf3fb9cd909b6ea70c9e5c/third_party/WebKit/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-attribute-changed.html [add] https://crrev.com/55ebf5a43475f5addddf3fb9cd909b6ea70c9e5c/third_party/WebKit/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-bypass-by-attribute-change.html [modify] https://crrev.com/55ebf5a43475f5addddf3fb9cd909b6ea70c9e5c/third_party/WebKit/Source/core/html/LinkStyle.cpp
,
Jul 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/84515b96a245a237de89424989b385ec6a72d7f7 commit 84515b96a245a237de89424989b385ec6a72d7f7 Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Fri Jul 28 18:36:38 2017 Use Resource::Url() in LinkStyle SRI To prepare for merging SRI checks in LinkStyle and ScriptResource into a single implementation in Resource [1], this CL makes LinkStyle's SRI check to use Resource::Url(), which is consistent with ScriptResource::CheckResourceIntegrity(). This CL doesn't change the behavior, because SetCSSStyleSheet()'s |href| argument is String-converted Resource::Url(). [1] https://chromium-review.googlesource.com/c/576950/ Bug: 746115 , 701943 Change-Id: I55f0d36ef5ba791b7252b7f8a2460636bdfe680b Reviewed-on: https://chromium-review.googlesource.com/587247 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#490474} [modify] https://crrev.com/84515b96a245a237de89424989b385ec6a72d7f7/third_party/WebKit/Source/core/html/LinkStyle.cpp
,
Jul 31 2017
,
Aug 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3305344cb14705b1c8cb802cfd65e49d375aff85 commit 3305344cb14705b1c8cb802cfd65e49d375aff85 Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Wed Aug 02 22:14:28 2017 Move SubresourceIntegrity calls to Resource This CL moves SubresourceIntegrity calls to Resource, just before CheckNotify(), where Resource::Data() is always available. This makes - SubresourceIntegrity always checked if integrity metadata is set, and - SubresourceIntegrity and ResourceIntegrityDisposition control not depend on ResourceClients (ClassicPendingScript and LinkStyle). This removes Resource::SetIntegrityDisposition(), and and unblocks https://chromium-review.googlesource.com/c/562859/. This CL also makes Resource cache SubresourceIntegrity::ReportInfo in Resource, and thus outputs SRI console error messages and update UseCounters for every classic script and stylesheet that shares a Resource, not only for the first use ( Issue 585267 ). Bug: 746115 , 701943 , 585267 , 653502 Change-Id: I03e7c22319980bd297cb5d9fb58589966a0b2f71 Reviewed-on: https://chromium-review.googlesource.com/576950 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Commit-Position: refs/heads/master@{#491526} [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/LayoutTests/http/tests/security/subresourceIntegrity/clear-integrity-attribute-expected.txt [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/LayoutTests/http/tests/security/subresourceIntegrity/shared-with-xhtml-expected.txt [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/core/dom/ClassicPendingScript.cpp [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/core/html/LinkStyle.cpp [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/core/loader/resource/ScriptResource.cpp [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/core/loader/resource/ScriptResource.h [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/platform/loader/SubresourceIntegrity.cpp [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/platform/loader/SubresourceIntegrity.h [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/platform/loader/fetch/Resource.cpp [modify] https://crrev.com/3305344cb14705b1c8cb802cfd65e49d375aff85/third_party/WebKit/Source/platform/loader/fetch/Resource.h
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a32e2abb4022f64a616bf5471ad9984f6f7ae991 commit a32e2abb4022f64a616bf5471ad9984f6f7ae991 Author: Charles Harrison <csharrison@chromium.org> Date: Tue Aug 08 06:06:04 2017 Reuse speculative stylesheet preloads with SRI metadata Recently, CSS stylesheets started caching their SRI metadata, since they now do not keep their raw data around for re-hashing. This means that for a request with SRI to match a preload, the preload must have SRI metadata cached as well, as the hash cannot be computed on the fly. This is how script has been for a while, so all the plumbing is already in place for adding this metadata to stylesheet preloads, so this CL ends up being very simple. Bug: 701943 Change-Id: I805b6515a9828c827c8935a2a831d3c75d6d9b66 Reviewed-on: https://chromium-review.googlesource.com/562859 Commit-Queue: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Yoav Weiss <yoav@yoav.ws> Cr-Commit-Position: refs/heads/master@{#492548} [add] https://crrev.com/a32e2abb4022f64a616bf5471ad9984f6f7ae991/third_party/WebKit/LayoutTests/http/tests/preload/reuse_sri.html [modify] https://crrev.com/a32e2abb4022f64a616bf5471ad9984f6f7ae991/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp [modify] https://crrev.com/a32e2abb4022f64a616bf5471ad9984f6f7ae991/third_party/WebKit/Source/core/html/parser/PreloadRequest.h
,
Aug 8 2017
Should be fixed.
,
Aug 11 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by manoranj...@chromium.org
, Mar 15 2017