- From: Frederik Braun <fbraun@mozilla.com>
- Date: Thu, 20 Mar 2014 14:06:58 +0100
- To: Jacob Hoffman-Andrews <jsha@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 20.03.2014 07:27, Jacob Hoffman-Andrews wrote:> If we could add SRI to JS from *..twimg.com <http://twimg.com/>, we > would not be as > dependent on the security of those additional CAs, nor would we need > to trust our CDNs not to serve poisoned JS. This is exactly one of the intended use cases: Reducing the authority an origin selected for inclusion has on your document. > > I've heard some talk about using SRI with HTTP resources, with user > agents possibly bypassing mixed content checks in that situation. I think > bypassing mixed content checks would be a bad idea, since SRI does > not provide the confidentiality that HTTPS is supposed to provide. This is an open question and we haven't made any decision yet. I agree with you, but let me sum up my reasoning behind this: SRI+HTTP can not replace HTTPS. While SRI helps preventing active attacks and detecting modified resources, it does not provide the confidentiality that HTTPS provides (though the confidentiality is of course limited, given the data one can gather from response lengths and IP addresses). Thank you for the feedback, Frederik
Received on Thursday, 20 March 2014 13:07:27 UTC