- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 10 Dec 2014 11:20:18 -0800
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree. local shim is a simple and easy solution. This works well with module systems like requirejs with path fallbacks (http://requirejs.org/docs/api.html#pathsfallbacks). I imagine we could modify requirejs to say "when using CDN, load with SRI, don't use SRI for fallback URIs" --dev On 10 December 2014 at 09:39, Frederik Braun <fbraun@mozilla.com> wrote: > I am leaning towards taking the current state and calling it a v1 around > January. > > This includes mostly what Chromium has in Canary (Firefox has a > work-in-progress patch that is aligned with what Chromium does, modulo > the authenticated origin discussion, that should happen in another thread). > > > It seems that both sides are OK with implementing > fallback/noncanonical-src attributes (allows loading the resource from > another location, if the integrity check fails). But we are not sure > whether it should be included in v1. > > So, the question is: What do web developers want? > > > > I'm slightly leaning towards no, as a local shim could always check if > something has been declared or not. > > > (I'll start another thread about error reporting in a minute) >
Received on Wednesday, 10 December 2014 19:21:05 UTC