subresource integrity check pass-through feature

[sharethewisdom]

In this issue, I'd like to start a discussion about whether or not uBlockO should adopt some mechanism that would allow browsers to do subresource integrity checks.

In particular, I think that website creators that use popular CDNs (to load jquery, bootstrap or other javacripts and stylesheets) will increasingly use this feature, and should be encouraged to do so.

Some uBlockO users like me that like a whitelisting approach in the dynamic ruleset may want to let subresources that have integrity attributes be passed through to static filtering, or to let the browser to do these checks. I'm thinking something like:

* * 3p       block
* * 3p-frame block
* amazonaws.com    3p-hashed noop
* bootstrapcdn.com 3p-hashed noop
* cloudfront.net   3p-hashed noop
* jquery.com       3p-hashed noop

or

* * 3p       block
* * 3p-frame block
* * 3p-hashed noop

... or is this more in the scope of uMatrix?

Two blog posts (07-2015) and (06-2016) provide more info.

[gorhill]

I will decline, I don't see how I could fit this in the current UI, and I do not plan to rewrite the UI. Additionally, whether a tag has a sri attribute is not something available to a HTTP observer which is where network requests are blocked.

[sharethewisdom]

Ok, I'm sorry for the noise and for raising this issue while I actually anticipated that answer, I'm writing as ideas come...

One mention though: GNU LibreJS contains a precompiled list of hashes for javascripts in ./data/script_libraries/script-libraries.json like these:

{
    "a83caf65714ff3a56aded6088acb525e9d305881": {
        "filename": "https://code.jquery.com/ui/1.11.2/jquery-ui.min.js",
        "result": "[freelib]"
    },
    "0b327b43256da9f57b78e3134aaecc2a4a5a3bad": {
        "filename": "https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.1/jquery-ui.js",
        "result": "[freelib]"
    }
}

I'm thinking that a hash comparison using a special third party filter may be sufficient for security-aware users. And it may not be too much of an overhead for uBlockO.

suppose a special filter would instruct to:

• intercept requests for destination urls starting with, for example, https://code.jquery.com/ui/
• continue if requests urls match the list and comparing the hash checks out (downloading and hashing it in memory? chrome worker? performance?), if not, just get rid of it and dismiss it.
• handle requests by injecting the javascript

Again, sorry for the noise, I don't apprehend the implications as well as you do. Trivial vs free javascript detection appears to be more involved (see lib/js_checker/*). I suspect it isn't as simple as I put it. Please share your opinion. Thanks for uBlock Origin!