SRI object support

[devd]

No current implementation supports it, but objects fall under the "code" banner and so would be nice to support. I would argue they are more important than styles.

Not sure if this should be in v1 or not, but this issue will track consensus if any.

[fmarier]

For what it's worth, I'm not currently planning on adding support for <object> elements in the initial Firefox implementation.

[annevk]

object (and embed) are super complex as they can be either a browsing context or embedding context. I recommend tackling iframe first, then these more difficult contexts.

[devd]

well, in terms of security though, embedded flash with allowSameDomain is far more powerful.

(that said .. I am leaning towards punting this to vNext)

[hillbrad]

Many object classes also have internal means to load additional code that are not necessarily mediated through the browser, or not in a way that these policies may reach. So as much as I want to see this, it may be too much to tackle for v1 and maybe impossible to ever get reliably correct.

On Mon, Mar 9, 2015 at 10:36 AM Devdatta Akhawe notifications@github.com wrote:

well, in terms of security though, embedded flash with allowSameDomain is far more powerful.

(that said .. I am leaning towards punting this to vNext)

— Reply to this email directly or view it on GitHub https://github.com/w3c/webappsec/issues/210#issuecomment-77903014.

[devd]

yup .. but it is one of those key "dont want to trust CDN" use cases. That said, I agree we should drop it in v1 and look at this again for vnext. I would definitely argue (then) that this is more important to try than iframes or images.

[hillbrad]

Yeah, I'd love it to be able to do this, but that doesn't make it realistic. Unless Flash updates to play better with these kinds of policies, it's just going to get increasingly left out of scenarios that require it.

On Mon, Mar 9, 2015 at 5:28 PM Devdatta Akhawe notifications@github.com wrote:

yup .. but it is one of those key "dont want to trust CDN" use cases. That said, I agree we should drop it in v1 and look at this again for vnext. I would definitely argue (then) that this is more important to try than iframes or images.

— Reply to this email directly or view it on GitHub https://github.com/w3c/webappsec/issues/210#issuecomment-77973645.

[devd]

well if you can load the flash file with integrity, you can manually confirm in your own code that you are not loading any other file without integrity.

Conversely, JS in SRIv1 can load other JS (bounded by CSP) that is not checked for integrity---we haven't really solved the "mandate all scripts from CDN to have SRI" anyhow.

[annevk]

@devd sure, Flash is powerful, but you cannot address just Flash as that would leave other capabilities of object unaddressed. Which is why I suggested starting with the simpler iframe.