- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 15 Jan 2014 19:14:15 -0800
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: Joel Weinberger <jww@chromium.org>, Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
>> My only concern: I am not sure whether we want to make this a >> requirement for the first version of the spec or make it a requirement >> in the second version. > > The strongest use cases for integrity are for JS, CSS, fonts, and for > binary downloads. Most of these can't be really rendered speculatively > as they load; binary blobs are the only exception, I think, but they > do not benefit hugely from progressive validation. Exactly. Waiting for version 2 of the spec for progressive authentication makes sense to me. This allows us to thrash out all other issues. Version 2 can specify progressive authentication and, thus, make integrity validation for passive multimedia a lot more usable. Interestingly, the current spec's CSP does not have a way to say "require for JS, CSS, fonts, downloads." Maybe we should change that given this discussion? ~dev
Received on Thursday, 16 January 2014 03:15:01 UTC