Re: [SRI] may only be used in documents in secure origins

> Why expend effort on a guarantee so weak you don't want to surface it to
> users?

If it's extra work, I don't think it makes sense. But it doesn't
really add complexity to permit HTTP origins, right?

I think the best argument in favor of allowing it is that it improves
the security of the web. Today, people load scripts from CDNs, social
networks, and ads services, and if the CDN / etc gets compromised,
they will have a very bad time. SRI can fix that, that's a good thing.

Separately, we have this dream of promoting broader use of HTTPS (with
opinions somewhere on a scale between "Amazon and Bing really need to
start doing it" and "HTTP needs to die completely") that may or may
not come to fruition.

I'm unconvinced that we should take away SRI from HTTP sites to get
there, though. Maybe...


Received on Wednesday, 5 November 2014 03:22:49 UTC