- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 15 Jan 2014 11:18:38 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Joel Weinberger <jww@chromium.org>, Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> My only concern: I am not sure whether we want to make this a > requirement for the first version of the spec or make it a requirement > in the second version. The strongest use cases for integrity are for JS, CSS, fonts, and for binary downloads. Most of these can't be really rendered speculatively as they load; binary blobs are the only exception, I think, but they do not benefit hugely from progressive validation. There are peripheral use cases for "passive" multimedia (images, video, audio). They are less valuable to attackers, but also depend heavily on progressive loading. In these use cases, it feels like progressive validation is pretty much a strict requirement. There are also use cases for plugin-rendered documents (e.g., PDF), but I'm not sure if we can make integrity work with plugins very easily to begin with (?). The last use case would be for HTML in an <iframe>, but I don't think that would offer any real benefits with today's ads or gadgets. /mz
Received on Wednesday, 15 January 2014 19:19:25 UTC