Re: [SRI] may only be used in documents in secure origins

On Mon, Nov 3, 2014 at 4:02 PM, Joel Weinberger <> wrote:

>> Although it would be desirable for every site to use HTTPS,
>> I don't think that SRI is the right way of promoting this.
> This isn't a matter of promoting HTTPS; it's a matter of suggesting to users
> and developers that they're getting a security property that they're simply
> not getting.


I'm increasingly concerned about this idea, popping up in several
contexts now, that there can be any security at all without at least
strong server authentication, data integrity, and data
confidentiality. Like, we need those as the baseline minimum, so that
we can *begin* to think about the next problems, like metadata

Putzing around in the margins like this (Better Than Nothingism) is
not going to help users.

Received on Tuesday, 4 November 2014 00:28:27 UTC