W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 04 Nov 2014 14:41:04 -0800
Message-ID: <54595600.8080100@mozilla.com>
To: Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>
CC: Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
SRI on an non-secure origin does not protect the user from an active 
network attacker that is MITM'ing their connections and changing their 
content.  But SRI on a non-secure origin does protect the user who is 
not subject to an active attack and who is trying to source javascript 
from a third party that has been compromised.  For me, that's a good 
enough reason to allow SRI on non-secure origins.

Most users aren't going to understand SRI at all and it's not a user 
facing feature, so we aren't giving them any new or misleading security 
guarantees.  There may be other new features that we want to restrict to 
HTTPS as a stick to get developers to migrate to secure origins, but 
features like SRI that can only help protect users shouldn't be put in 
that bucket.

On 11/3/14 4:28 PM, Chris Palmer wrote:
> On Mon, Nov 3, 2014 at 4:02 PM, Joel Weinberger <jww@chromium.org> wrote:
>
>>> Although it would be desirable for every site to use HTTPS,
>>> I don't think that SRI is the right way of promoting this.
>> This isn't a matter of promoting HTTPS; it's a matter of suggesting to users
>> and developers that they're getting a security property that they're simply
>> not getting.
> Exactly.
>
> I'm increasingly concerned about this idea, popping up in several
> contexts now, that there can be any security at all without at least
> strong server authentication, data integrity, and data
> confidentiality. Like, we need those as the baseline minimum, so that
> we can *begin* to think about the next problems, like metadata
> confidentiality.
>
> Putzing around in the margins like this (Better Than Nothingism) is
> not going to help users.
>
Received on Tuesday, 4 November 2014 22:40:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC