W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [SRI] Towards v1 - do we need fallback/noncanonical-src?

From: Brian Smith <brian@briansmith.org>
Date: Wed, 10 Dec 2014 16:04:57 -0800
Message-ID: <CAFewVt7=+GHYto-X6SohaEoju67nPQZvUw2=5yNnpMB=YbsmBg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Dec 10, 2014 at 11:20 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> I agree. local shim is a simple and easy solution. This works well
> with module systems like requirejs with path fallbacks
> (http://requirejs.org/docs/api.html#pathsfallbacks). I imagine we
> could modify requirejs to say "when using CDN, load with SRI, don't
> use SRI for fallback URIs"

I also agree. I think in the future, there should be a way to register
an event handler that can handle any failed load (CSP violation, SRI
failure, network error, etc.), where the handler can interrogate the
event object to learn the reason for the failure. Then the event
handler could retry the load from an alternative source and/or phone
home with an error report and/or do even more drastic things like
redirect to a fail-safe backup page.

Cheers,
Brian
Received on Thursday, 11 December 2014 00:05:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC