Checking the integrity of resources pulled in from within CSS stylesheets

[baloo]

I'm not sure to understand the spec correctly but I've been unable to find a way to validate integrity of sub-subresources, like images or font referenced from css.

I've put a sample code here:
https://github.com/baloo/subresource-integrity-test/blob/master/test.py

I'm probably missing something.

[fmarier]

It will be checked automatically by the browser (Chrome and Firefox only at the moment) and the load will fail if the hash doesn't match.

[baloo]

Which hash is it supposed to be checked against? I haven't hashed the font resource in my test sample, yet chrome does load it without any warning.

I'm pretty sure in my sample only the css gets hashed, and the resources referenced from the css are never actually checked anywhere.

I've put the sample generated output on: http://baloo.github.io/subresource-integrity-test/

[fmarier]

Oh sorry, I see what you mean: sub-subresources.

It's not supported in the current specification (or in the implementations). You can only hash the first level of resources.

[baloo]

Is this use-case considered?
I'd love to see something like:

tag {
  background-image: url('http://') sri('sha384-[hash]');
}

I believe it to be okay with css spec itself.

[mozfreddyb]

Clarification:

The way specifications work is a bit tricky, since each may have their own way to describe how to do HTTP requests. SRI refers to the fetch standard, which is supposed to become the canonical way of making requests. Fetch in itself supports an integrity option so you can say "fetch and return iff the result matches this hash" (roughly speaking).

I do not know how CSS handles requests, when you use url(). If it doesn't use fetch, it may need a substantial rewrite. If it already does, adding parameters to url() may be possible.

[annevk]

The CSS specifications indeed need to be (re)written to be on top of Fetch. Otherwise service workers and such won't work either.

I believe @tabatkins has fixed url() so that it can accept parameters. But those parameters will need to be designed, etc.

[annevk]

(There used to be some canonical issue on this, but since everything has moved in WebAppSec I'm not really sure where to find it.)

[mozfreddyb]

I found w3c/webappsec#306

[mikewest]

@tabatkins pointed me to https://drafts.csswg.org/css-values/#url-modifiers as a reasonable integration point for configuring resource fetching inside CSS, which would make it possible to add integrity metadata, etc. He suggests that " y'all just need to write up the proposal somewhat officially".

This will be a little difficult to do in spec language, as CSS doesn't always cleanly integrate with Fetch, or clearly define when/how resources are requested. But it should be possible to sketch out enough of a proposal and define your SRI2 requirements clearly enough to give them something to work with.

[jonathanKingston]

Will take a look at formalising this tonight, looks like fleshing out a stronger integration of https://www.w3.org/TR/2011/REC-CSS2-20110607/syndata.html#uri and/or https://www.w3.org/TR/css-values/#urlsto using fetch and how 's get used will be the core of the work.