Re: [integrity] What should we hash? from Devdatta Akhawe on 2014-04-09 (public-webappsec@w3.org from April 2014)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 9 Apr 2014 12:29:28 -0500
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_1rpKU_MJxZb7gcNhvBpEjvA9dS2koJe26kg_fF5LJFyg@mail.gmail.com>

>
> See above.  You'd be setting up a situation where the download works fine
> in a browser without SRI but fails in one with.  Which is a general problem
> with SRI, of course...  But the point is that from a user's point of view
> the browser will update and stuff will stop working.  That is what we call
> a Bad User Experience.


Yeah, I would agree with you for the typical web platform feature. But, SRI
is a feature that the developer opts-in to---most downloads would continue
to work as before. Only downloads that turned on SRI would break.

So the experience would be more like: stuff stops working on a particular
site that adopted SRI for downloads (not just sub resources) but didn't
test it. Doesn't seem that likely to me.

I wonder if there is any precedent for having stricter requirements for
such opt-in features.

thanks
Dev

Received on Wednesday, 9 April 2014 17:30:16 UTC