WingNews logo WingNews
top | item 31801642

(no title)

blip54321 | 3 years ago

If it were me, I'd make third-party font sources require a SHA hash. In pseudocode:

    url("https://fonts.googleapis.com/comic-sans", sha="abcd1234")
This way:

- If my browser has comic-sans cached, no request is made

- Caching works even if the same resource is sourced from multiple places (e.g. I can host comic-sans locally, but if they got it from a CDN, they don't need to get it again)

- If a malicious site replaces a resource, that's flagged

I think the trick would be to make this optional (but bandwidth/privacy-saving), and gradually to make this increasingly mandatory for different types of resources. AJAX calls obviously can't have SHA hashes, but JavaScript libraries can.

discuss

order

jfk13|3 years ago

Sounds like you're basically reinventing SRI: https://en.wikipedia.org/wiki/Subresource_Integrity

One issue with cross-site caching, though, is that it may enable timing-based attacks on privacy.

blip54321|3 years ago

No, I'm not reinventing it, but extending it by:

1) Mandating it for certain types of resources

2) Extending caching to cover the cross-site case.

Can you please explain the proposed timing-based attack?

zzo38computer|3 years ago

I had a similar idea. In addition to caching and detecting if it has been unexpectedly changed, there are other benefits:

- The end user could have the option to enable/disable caching, and to clear the cache. Further configuration is also possible, e.g. to enable same-origin caching only.

- The end user could have the option to replace resources with their own regardless of where the files come from; there is one table keyed by hash and the value is the file to use instead, which might or might not be the same file (so the hash does not necessarily need to match the file that is being used instead).

- Features specific to the browser to make it more efficient could also be used when the user configures replacement of resources, e.g. if it can somehow implement jQuery in native code, or uses a different font format which is more efficient on the computer that it is running on.

- If archived copies of parts of web sites are being made, it can efficiently check if it already has some file which is being used in such a way.

However, requiring a hash probably should not be made mandatory.