W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Couple comments on Subresource Integrity

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 25 Mar 2014 21:21:04 +0100
To: Trevor Perrin <trevp@trevp.net>
Cc: Brad Hill <hillbrad@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <0io3j95p0hhksaduqki7j5u7kv59nfl9un@hive.bjoern.hoehrmann.de>
* Trevor Perrin wrote:
>Bjoern wrote:
>> Tight coupling has a number of downsides; an example is that implemen-
>> tations can detect the presence of integrity information even when the
>> document uses an unrecognised algorithm.
>Hi Bjoern,
>I didn't see where the spec handles an unrecognized hash algo
>different from absent integrity info?

The point of the example is that an implementation would need to know
which attributes carry integrity information, which is simple with an
`integrity` attribute and impossible with your scheme; there is no need
for the specification to demand any specific behavior; as an example, a
browser vendor might decide never to make the address bar "green" when
there is integrity information the browser cannot verify (because the
scheme is unknown); there is no need to codify that in the standard.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 25 March 2014 20:21:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC