W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity strawman.

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 8 Jan 2014 13:57:44 -0800
Message-ID: <CALx_OUD7mQprNtMU3-hbVEw4oJ=MDFbGji9jvMvj0Gb16mUVQQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>, Brad Hill <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>, Tab Atkins <tabatkins@google.com>, Ilya Grigorik <igrigorik@google.com>
>> What would be the behavior of clicking on a non-download link with the
>> integrity parameter specified? What would happen if this link is
>> opened in a new window? It seems that it may be difficult to behave
>> consistently in this case (e.g., how to handle right-click + "open in
>> an incognito window" in Chrome?).
>
> The intent is for nothing interesting to happen if the resource isn't being
> treated as a download.

OK, so let's say we have download + integrity - what happens on a
right-click + open in a new window / open in an incognito window?

It feels that it's going to be hard for implementations to enforce
integrity consistently on any clickable links; <script> and similar
subresources seem a lot more straightforward.

/mz
Received on Wednesday, 8 January 2014 21:58:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC