W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 4 Nov 2014 19:22:01 -0800
Message-ID: <CALx_OUDFZRLNSZBme2Yxto6BJ5CRa0q--6gEHNE8Yjyv-Byu-A@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Pete Freitag <pete@foundeo.com>
> Why expend effort on a guarantee so weak you don't want to surface it to
> users?

If it's extra work, I don't think it makes sense. But it doesn't
really add complexity to permit HTTP origins, right?

I think the best argument in favor of allowing it is that it improves
the security of the web. Today, people load scripts from CDNs, social
networks, and ads services, and if the CDN / etc gets compromised,
they will have a very bad time. SRI can fix that, that's a good thing.

Separately, we have this dream of promoting broader use of HTTPS (with
opinions somewhere on a scale between "Amazon and Bing really need to
start doing it" and "HTTP needs to die completely") that may or may
not come to fruition.

I'm unconvinced that we should take away SRI from HTTP sites to get
there, though. Maybe...

/mz
Received on Wednesday, 5 November 2014 03:22:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC