Re: [integrity] The noncanonical-src attribute

I'm also afraid that, given the unfortunate prevalence of HTTPS intercepting-and-modifying proxies, all practical use of this is going to pretty much have to specify fallbacks for things like script, where it is of most importance.  Otherwise the loss of audience will be unacceptable to deployers.

-Brad

On Jun 13, 2014, at 5:43 AM, Frederik Braun <fbraun@mozilla.com> wrote:

> Why exactly do you consider it complicated to implement? Can you please
> elaborate?
> 
> 
> On 13.06.2014 08:37, Simon Pieters wrote:
>> http://w3c.github.io/webappsec/specs/subresourceintegrity/#the-noncanonical-src-attribute-todo
>> 
>> 
>> I think the noncanonical-src feature is going to be insanely complicated
>> to get right. Please remove it. If authors want fallback, they can do so
>> in an imperative fashion, e.g.:
>> 
>> <script src="https://example.com/script.js"
>> 
>> integrity="ni:///sha-256;jsdfhiuwergn...vaaetgoifq?ct=application/javascript"
>> 
>>        onerror="var s = document.createElement('script');
>>                 s.src = 'https://cdn.example.com/script.js';
>>                 this.after(s);"></script>
>> 
>> cheers
> 
> 

Received on Friday, 13 June 2014 18:00:14 UTC