- From: Chris Palmer <palmer@google.com>
- Date: Mon, 29 Dec 2014 16:25:49 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Dec 27, 2014 at 8:49 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > Imagine you are a web site owner and deploy SRI. 2 years from now, all > versions SHA currently supported are broken. Browsers have switched > over to supporting SHAwesome or whatever. But, since there is always > that random user who doesn't update. What do you want the website to > do? If browsers support SRI in HTTP pages, it will not be a security feature. It should therefore fail open, perhaps with logging or reporting.
Received on Tuesday, 30 December 2014 00:26:20 UTC