W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [SRI] unsupported hashes and invalid metadata

From: Chris Palmer <palmer@google.com>
Date: Mon, 29 Dec 2014 16:25:49 -0800
Message-ID: <CAOuvq22yuJVfXqd77Yt7moC3PY+tg7xf3nNXcmUBOU_yuc3=pg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Dec 27, 2014 at 8:49 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> Imagine you are a web site owner and deploy SRI. 2 years from now, all
> versions SHA currently supported are broken. Browsers have switched
> over to supporting SHAwesome or whatever. But, since there is always
> that random user who doesn't update. What do you want the website to
> do?

If browsers support SRI in HTTP pages, it will not be a security
feature. It should therefore fail open, perhaps with logging or
reporting.
Received on Tuesday, 30 December 2014 00:26:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC