Chromium Code Reviews (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

Issue 1713093002: Fix SRI bypass by loading same resource twice in same origin. (Closed)

4 years, 10 months ago by jww
4 years, 10 months ago
Base URL:
Target Ref:


Fix SRI bypass by loading same resource twice in same origin. This fixes a bug where the memory cache was bypassing subresource integrity checks when a resource is loaded for a second time in the same origin. The resource in the memory cache was correctly storing that an integrity check had already been done so whene it was retrieved later, it wouldn't need to be checked again, but it didn't store the fact that this was a *failure*, so when the load happened a second time, it assumed it was a good integrity. This modifies the resources to store a disposition for the integrity check, rather than just that the integrity check occurred. On a reload of the resource, if the integrity had failed the first time, the resource will fail to load. BUG=584155 Review URL: Cr-Commit-Position: refs/heads/master@{#374336} (cherry picked from commit bf24693238d407f90bec71453b18aae8dd1c0f43) Committed:

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+50 lines, -6 lines) Patch
A third_party/WebKit/LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-block-same-resource-twice.html View 1 chunk +26 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/dom/PendingScript.cpp View 1 chunk +8 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/ScriptResource.h View 3 chunks +10 lines, -3 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/ScriptResource.cpp View 2 chunks +6 lines, -1 line 0 comments Download


Total messages: 2 (1 generated)
4 years, 10 months ago (2016-02-19 17:54:51 UTC) #2
Message was sent while issue was closed.
Committed patchset #1 (id:1) manually as

Powered by Google App Engine
This is Rietveld 408576698