Zenhack.net

SRI Update

27 Dec 2015

Last week I mentioned having independently thought of what is essentially SRI, but for the purposes of caching. This week’s post is just a brief update.

As mentioned, I sent an email to the relevant mailing list. Basically what I learned is, people have thought of using SRI for caching and are discussing it. It didn’t make it into version 1 of the spec because there are some subtleties that need working out and it was brought up too late in the process. Security is always harder than you’d think.

The other messages in that thread link to older discussions. From the mailing list archives it looks like the discussion had been dormant, and my message seems to have revived it. There’s an issue tracking this on github, and it mentions some of the things that need working out. It provides a proposal that seems sensible to me at first glance, for whatever that’s worth.

One gotcha that I hadn’t thought of is history tracking attacks: Without proper restrictions, a website could determine if the user had visited a particular page by providing a link to the same resource on their own server, with the hash. If the user doesn’t fetch it, they’ve probably got it in cache, which means they’ve visited the other website.

It does seem like the idea is basically sound though. I’m curious to see how all of this plays out.