- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 2 Jul 2019 08:10:58 -0700
- To: Frederik Braun <fbraun@mozilla.com>, Bertil Chapuis <bertil.chapuis@unil.ch>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 7/2/19 7:50 AM, Frederik Braun wrote:
>> Last year, I briefly presented a study related to SRI at TPAC and
>> proposed to extend the specification (as initially intended) to
>> other HTML elements such as img, video, or a.
>
> To be clear, I don't have a strong interest to introduce new things
> to SRI yet, but I do want to clean up some of the remaining issues.
The initial impetus for SRI was images (anti-deeplinking shenanigans)
and downloads (dubious mirrors) so it would be great to eventually get
those into the spec. I don't believe there would be much support for SRI
on navigational anchors, just downloads.
>> Regarding the require-sri-for header, [...] don’t you think it
>> introduce a nice separation of concerns between system
>> administrators and web developer that could eventually help at
We were hopeful, but at the moment there are several types of script
inclusions that can't be covered by the current spec, leading to either
a false sense of security ("no one can mess with any scripts") or future
breakage of working pages when we do invent a way to specify hashes for
those types but old pages don't have the hashes.
-Dan Veditz
Received on Tuesday, 2 July 2019 15:11:25 UTC