W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [integrity] The noncanonical-src attribute

From: Hill, Brad <bhill@paypal.com>
Date: Fri, 13 Jun 2014 17:59:45 +0000
To: Frederik Braun <fbraun@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <B2DBBCBF-6580-434F-BC4B-8D247E261652@paypal.com>
I'm also afraid that, given the unfortunate prevalence of HTTPS intercepting-and-modifying proxies, all practical use of this is going to pretty much have to specify fallbacks for things like script, where it is of most importance.  Otherwise the loss of audience will be unacceptable to deployers.

-Brad

On Jun 13, 2014, at 5:43 AM, Frederik Braun <fbraun@mozilla.com> wrote:

> Why exactly do you consider it complicated to implement? Can you please
> elaborate?
> 
> 
> On 13.06.2014 08:37, Simon Pieters wrote:
>> http://w3c.github.io/webappsec/specs/subresourceintegrity/#the-noncanonical-src-attribute-todo
>> 
>> 
>> I think the noncanonical-src feature is going to be insanely complicated
>> to get right. Please remove it. If authors want fallback, they can do so
>> in an imperative fashion, e.g.:
>> 
>> <script src="https://example.com/script.js"
>> 
>> integrity="ni:///sha-256;jsdfhiuwergn...vaaetgoifq?ct=application/javascript"
>> 
>>        onerror="var s = document.createElement('script');
>>                 s.src = 'https://cdn.example.com/script.js';
>>                 this.after(s);"></script>
>> 
>> cheers
> 
> 
Received on Friday, 13 June 2014 18:00:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC