W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [integrity] What should we hash?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 9 Apr 2014 12:29:28 -0500
Message-ID: <CAPfop_1rpKU_MJxZb7gcNhvBpEjvA9dS2koJe26kg_fF5LJFyg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
>
> See above.  You'd be setting up a situation where the download works fine
> in a browser without SRI but fails in one with.  Which is a general problem
> with SRI, of course...  But the point is that from a user's point of view
> the browser will update and stuff will stop working.  That is what we call
> a Bad User Experience.


Yeah, I would agree with you for the typical web platform feature. But, SRI
is a feature that the developer opts-in to---most downloads would continue
to work as before. Only downloads that turned on SRI would break.

So the experience would be more like: stuff stops working on a particular
site that adopted SRI for downloads (not just sub resources) but didn't
test it. Doesn't seem that likely to me.

I wonder if there is any precedent for having stricter requirements for
such opt-in features.

thanks
Dev
Received on Wednesday, 9 April 2014 17:30:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC