Re: SRI fail open behaviour from Brian Smith on 2015-08-05 (public-webappsec@w3.org from August 2015)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Aug 2015 13:25:44 -0400
To: Brad Hill <hillbrad@gmail.com>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt7Of5pHGFmHeZeYOOJEQn92GkhbM=RXusR+Nnn4mLGAiQ@mail.gmail.com>

On Wed, Aug 5, 2015 at 1:19 PM, Brad Hill <hillbrad@gmail.com> wrote:

> This goes back to some of the early design suggestions where we had things
> like src="safe_url" alt-src="CDN_url" alt-src-integrity="...".  We decided
> to cut those features for Level 1.  I'm not sure how requiring at least one
> valid hash recognized by an SRI-aware browser helps with the case where a
> website wants to send a different link for browsers that don't do SRI at
> all, or which don't recognize the algorithms chosen.
>

The server would send different links based on the User-Agent or similar,
based on its understanding of which UAs support SRI.

Cheers,
Brian

Received on Wednesday, 5 August 2015 17:26:13 UTC