- From: Francois Marier <francois@mozilla.com>
- Date: Wed, 24 Dec 2014 14:45:19 +1300
- To: public-webappsec@w3.org
I've opened an issue around invalid metadata and unsupported hashes: https://github.com/w3c/webappsec/issues/119 as well as opened two pull requests for resolving the ambiguity: https://github.com/w3c/webappsec/pull/86 https://github.com/w3c/webappsec/pull/120 The gist of the issue is what should we do with an integrity attribute like: <script src="..." integrity="ni:///sha-1024;..."> Should it be ignored and the script loaded as with non-SRI enabled browsers (as if the integrity attribute wasn't there)? Or should it be ignored and cause the script to be blocked? I can personally see arguments both ways, so I'm curious what others think. Francois
Received on Thursday, 25 December 2014 19:37:15 UTC