W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Chris Palmer <palmer@google.com>
Date: Tue, 4 Nov 2014 16:24:35 -0800
Message-ID: <CAOuvq227mEwdhDs4UPJ8c3NFdUQ8Dzd7EzvcpAaW0tQTHTRjaA@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Pete Freitag <pete@foundeo.com>
Why expend effort on a guarantee so weak you don't want to surface it to
users?

...When engineering resources are already scarce?

...When we know that developers need a clear path to security just as much
as users do, and that every new knob and lever increases confusion?

HTTPS is the bare minimum. It's not about carrots and sticks.
Received on Wednesday, 5 November 2014 00:25:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC