W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

[SRI] unsupported hashes and invalid metadata

From: Francois Marier <francois@mozilla.com>
Date: Wed, 24 Dec 2014 14:45:19 +1300
Message-ID: <549A1AAF.1040305@mozilla.com>
To: public-webappsec@w3.org
I've opened an issue around invalid metadata and unsupported hashes:

  https://github.com/w3c/webappsec/issues/119

as well as opened two pull requests for resolving the ambiguity:

  https://github.com/w3c/webappsec/pull/86
  https://github.com/w3c/webappsec/pull/120

The gist of the issue is what should we do with an integrity attribute like:

  <script src="..." integrity="ni:///sha-1024;...">

Should it be ignored and the script loaded as with non-SRI enabled
browsers (as if the integrity attribute wasn't there)?

Or should it be ignored and cause the script to be blocked?

I can personally see arguments both ways, so I'm curious what others think.

Francois
Received on Thursday, 25 December 2014 19:37:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC