[SRI] unsupported hashes and invalid metadata

I've opened an issue around invalid metadata and unsupported hashes:


as well as opened two pull requests for resolving the ambiguity:


The gist of the issue is what should we do with an integrity attribute like:

  <script src="..." integrity="ni:///sha-1024;...">

Should it be ignored and the script loaded as with non-SRI enabled
browsers (as if the integrity attribute wasn't there)?

Or should it be ignored and cause the script to be blocked?

I can personally see arguments both ways, so I'm curious what others think.


Received on Thursday, 25 December 2014 19:37:15 UTC