search

mozilla / http-observatory

Mozilla HTTP Observatory
https://observatory.mozilla.org/
Mozilla Public License 2.0
1.84k stars 168 forks source link

Subresource Integrity vs no scripts #389

Open keganlance opened 5 years ago

keganlance commented 5 years ago

Currently having Subresource Integrity gives you 5 bonus points. These bonus points are not given when scripts are blocked alltogether with csp script-src: 'none'.

One would expect blocking all scripts would be more secure than having subresource integrity. So at least 5 bonus points should be given here.

floatingatoll commented 5 years ago

Scores beyond 100/100 with no penalties are considered “extra credit”, and due to various circumstances such as the scoring variance you’ve noted it’s impractical (or impossible!) for every site to reach a theoretical “maximum” high score. The disparity between SRI and script-src: none has been discussed a few times previously and afaik no changes were planned as of the most recent one.

On Wed, Jun 19, 2019 at 15:19 keganlance notifications@github.com wrote:

Currently having Subresource Integrity gives you 5 bonus points. These bonus points are not given when scripts are blocked alltogether with csp script-src: 'none'.

One would expect blocking all scripts would be more secure than having subresource integrity. So at least 5 bonus points should be given here.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/http-observatory/issues/389?email_source=notifications&email_token=AAAWUDDXWBO4W72JHWZF7TTP3KWIFA5CNFSM4HZNZKBKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G2QLQXA, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAWUDGGPOVMPM3CI3IFCVLP3KWIFANCNFSM4HZNZKBA .

keganlance commented 5 years ago

Alright. Thanks for the info! Currently the observatory doesn't recognise integrity of link tags. Is this something planned?

floatingatoll commented 5 years ago

Could you provide a sample of either the HTML content you’re describing or a URL where it can been seen and scanned for testing?

On Wed, Jun 19, 2019 at 17:02 keganlance notifications@github.com wrote:

Alright. Thanks for the info! Currently the observatory doesn't recognise integrity of link tags. Is this something planned?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/mozilla/http-observatory/issues/389?email_source=notifications&email_token=AAAWUDC6MEDKUJMHKYYCUOTP3LCKPA5CNFSM4HZNZKBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYDTOUI#issuecomment-503789393, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAWUDCFD7HTCZF2IDSX6A3P3LCKPANCNFSM4HZNZKBA .

keganlance commented 5 years ago

<link rel="stylesheet" href="main.css?v=3" crossorigin="anonymous" integrity="sha384-TkigcQyhTBNKZaDfB6OAn9d1cFvVEYWE5duhTxMi3hRmLd8XHusJMpR1U05IZONh">

in document head. The integrity is correct.

Malvoz commented 5 years ago

The initial concern seems like a dupe to https://github.com/mozilla/http-observatory/issues/273, although this issue seems to have taken another direction.

ghost commented 5 years ago

<link rel="stylesheet" href="main.css?v=3" crossorigin="anonymous" integrity="sha384-TkigcQyhTBNKZaDfB6OAn9d1cFvVEYWE5duhTxMi3hRmLd8XHusJMpR1U05IZONh">

in document head. The integrity is correct.

Indeed, the Observatory stopped looking at style when taking SRI into account, no matter the fact that a malicious stylesheet injection can be as dangerous as a malicious script injection.