W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [SRI] Towards v1 - do we need fallback/noncanonical-src?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 10 Dec 2014 11:20:18 -0800
Message-ID: <CAPfop_1UhKp9OT=iMiGpBRXmX8KxhTGtvp+MQztE6L3w2XWzTw@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree. local shim is a simple and easy solution. This works well
with module systems like requirejs with path fallbacks
(http://requirejs.org/docs/api.html#pathsfallbacks). I imagine we
could modify requirejs to say "when using CDN, load with SRI, don't
use SRI for fallback URIs"


On 10 December 2014 at 09:39, Frederik Braun <fbraun@mozilla.com> wrote:
> I am leaning towards taking the current state and calling it a v1 around
> January.
> This includes mostly what Chromium has in Canary (Firefox has a
> work-in-progress patch that is aligned with what Chromium does, modulo
> the authenticated origin discussion, that should happen in another thread).
> It seems that both sides are OK with implementing
> fallback/noncanonical-src attributes (allows loading the resource from
> another location, if the integrity check fails). But we are not sure
> whether it should be included in v1.
> So, the question is: What do web developers want?
> I'm slightly leaning towards no, as a local shim could always check if
> something has been declared or not.
> (I'll start another thread about error reporting in a minute)
Received on Wednesday, 10 December 2014 19:21:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC