- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Tue, 4 Nov 2014 19:22:01 -0800
- To: Chris Palmer <palmer@google.com>
- Cc: Tanvi Vyas <tanvi@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Pete Freitag <pete@foundeo.com>
> Why expend effort on a guarantee so weak you don't want to surface it to > users? If it's extra work, I don't think it makes sense. But it doesn't really add complexity to permit HTTP origins, right? I think the best argument in favor of allowing it is that it improves the security of the web. Today, people load scripts from CDNs, social networks, and ads services, and if the CDN / etc gets compromised, they will have a very bad time. SRI can fix that, that's a good thing. Separately, we have this dream of promoting broader use of HTTPS (with opinions somewhere on a scale between "Amazon and Bing really need to start doing it" and "HTTP needs to die completely") that may or may not come to fruition. I'm unconvinced that we should take away SRI from HTTP sites to get there, though. Maybe... /mz
Received on Wednesday, 5 November 2014 03:22:49 UTC