subresource integrity (was Re: PING call) from Nicholas Doty on 2015-05-19 (public-privacy@w3.org from April to June 2015)

From: Nicholas Doty <npdoty@ischool.berkeley.edu>
Date: Mon, 18 May 2015 18:40:11 -0700
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <C58BF225-5D77-41F8-A95C-FE6D5215943D@ischool.berkeley.edu>

On May 18, 2015, at 5:20 AM, Kepeng Li <kepeng.lkp@alibaba-inc.com <mailto:kepeng.lkp@alibaba-inc.com>> wrote:
> 
>> 2. Privacy review request from Web Applications Security WG concerning
>> Subresource Integrity [1]
> 
> It seems that there are no privacy considerations in this document.
> 
> Should we add something?

There is a Security Considerations section that is likely relevant to the things we typically review:

http://w3c.github.io/webappsec/specs/subresourceintegrity/#security-considerations-1 <http://w3c.github.io/webappsec/specs/subresourceintegrity/#security-considerations-1>

For example, cross-origin data leakage is one of the considerations there. I wonder if authors should typically write these as "Security and Privacy Considerations" since they so often overlap.

npd

Received on Tuesday, 19 May 2015 01:40:33 UTC