W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Couple comments on Subresource Integrity

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 25 Mar 2014 23:25:49 +0100
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Trevor Perrin <trevp@trevp.net>, Brad Hill <hillbrad@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <kf04j9hh9flk4b4m8a7d0r13b9t4lb4qvv@hive.bjoern.hoehrmann.de>
* Daniel Kahn Gillmor wrote:
>On 03/25/2014 04:21 PM, Bjoern Hoehrmann wrote:
>> The point of the example is that an implementation would need to know
>> which attributes carry integrity information, which is simple with an
>> `integrity` attribute and impossible with your scheme; there is no need
>> for the specification to demand any specific behavior; as an example, a
>> browser vendor might decide never to make the address bar "green" when
>> there is integrity information the browser cannot verify (because the
>> scheme is unknown); there is no need to codify that in the standard.
>
>I disagree that the standard shouldn't weigh in here.  site operators
>need to have a sense of how these directives will be interpreted.

(I meant there is no need for the purposes of my argument and example; I
do agree the Working Group should carefully consider user agent behavior
for the cases you list.)
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 25 March 2014 22:26:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC