Re: [SRI] may only be used in documents in secure origins from Anne van Kesteren on 2014-11-05 (public-webappsec@w3.org from November 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 5 Nov 2014 09:45:30 +0100
To: Brian Smith <brian@briansmith.org>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADnb78hWJL9RqLd8VqLuWB9bf7Lfrq+Y5QSttNWsgm_ca=-2Uw@mail.gmail.com>

On Wed, Nov 5, 2014 at 5:29 AM, Brian Smith <brian@briansmith.org> wrote:
> But, unless/until somebody actually does that experiment, for "don't break
> the web" reasons alone, it makes sense to say that SRI MUST NOT be enforced
> only for non-HTTPS documents or non-HTTPS subresources.

To be clear, this is different from what Chrome does today. Per OP,
Chrome Canary blocks.


-- 
https://annevankesteren.nl/

Received on Wednesday, 5 November 2014 08:45:56 UTC