W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [integrity] What should we hash?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 9 Apr 2014 12:29:28 -0500
Message-ID: <CAPfop_1rpKU_MJxZb7gcNhvBpEjvA9dS2koJe26kg_fF5LJFyg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> See above.  You'd be setting up a situation where the download works fine
> in a browser without SRI but fails in one with.  Which is a general problem
> with SRI, of course...  But the point is that from a user's point of view
> the browser will update and stuff will stop working.  That is what we call
> a Bad User Experience.

Yeah, I would agree with you for the typical web platform feature. But, SRI
is a feature that the developer opts-in to---most downloads would continue
to work as before. Only downloads that turned on SRI would break.

So the experience would be more like: stuff stops working on a particular
site that adopted SRI for downloads (not just sub resources) but didn't
test it. Doesn't seem that likely to me.

I wonder if there is any precedent for having stricter requirements for
such opt-in features.

Received on Wednesday, 9 April 2014 17:30:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC