Re: [SRI] unsupported hashes and invalid metadata

On 31/12/14 07:12, Brad Hill wrote:
> I also think there is a third way to handle deprecated algorithms - the
> way we handle them for SSL today - fail open and show a warning to
> encourage operators to perform necessary maintenance, then, after a
> reasonable time, fail closed.

There are two cases [1] to think about:

1. <script integrity="ni:///sha-512;foo"> for a modern browser that no
longer considers that hash algorithm secure

2. <script integrity="ni:///sha-1024;foo"> for an older browser that
doesn't know about this new hash algorithm

I think you're suggesting we fail open (for a time anyways) in the first
case by keeping a list of known-but-no-longer-trusted hash algorithms. I
can draft a pull request for this.

What should we do for completely unknown hash algorithms? (i.e. case 2
with old browsers) Dev suggested that perhaps failing open is the only
sane way to let site admins support the long tail of browsers.


[1] In both cases, the result of the metadata list parsing algorithm in
the spec is the empty string: there is integrity metadata, but the
browser doesn't support any of it.

Received on Tuesday, 30 December 2014 23:07:32 UTC