W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Couple comments on Subresource Integrity

From: Trevor Perrin <trevp@trevp.net>
Date: Mon, 24 Mar 2014 18:06:19 -0700
Message-ID: <CAGZ8ZG314LKB_Ng86cZwB5PLcAAjn+hci6AV=zXWiH7c8FoU9A@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi webappsec,

I'm glad to see this!  I think it's necessary for things like HPKP,
TACK, and DANE to be effective for many sites.  Without this,
"pinning" stronger security onto an origin could be undermined if that
origin loads a script from elsewhere, e.g. a CDN.

Couple comments:

1) Why does the content-type need to be specified in the link?  Why
not just include it as input to the hash?

2) The "ni://" prefix seems pointless, why not just name the attribute
after the hash algo, i.e.

 sha256="base64..."

   instead of

 integrity="ni://sha256;base64..."


Trevor
Received on Tuesday, 25 March 2014 01:06:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC