undefined | Better HN

0 pointsjowiar12y ago0 comments

This strikes me as something that, without a lot of thought, will expose a user's browsing history (similar to the old "check the visited link color" attacks). Insert script links with a hash, check to see if the browser makes a request.

0 comments

2 comments · 2 top-level

anglebracket12y ago

That was my thought too, the candidate spec for this[0] seems to have taken that into consideration by requiring the scripts to be served with an `Access-Control-Allow-Origin: <origin>` header.

Since the server needs to grant you full cross-origin read permissions to even start the hash check, it's not likely that an attacker could use this to infer more about cross-origin resources than they already can.

[0]: http://w3c.github.io/webappsec/specs/subresourceintegrity/

cma12y ago

I think with JSONP you can already make a cross-site request, time the response, and determine whether it was cached or had to be fetched.

j / k navigate · click thread line to collapse