- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 4 Nov 2014 20:55:50 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> In order to avoid breaking the web, the default has to be MUST NOT, because > SRI on non-secure origins has clear, well-known compatibility concerns due > to middleboxes tampering with content. Before the working group could re middleboxes: how about integrity values for resources fetched over https? An http page could include a script from a third party server via HTTPS. I don't understand what we achieve by ignoring the integrity attribute there. The SRI is as secure as the page is. -dev
Received on Wednesday, 5 November 2014 04:56:37 UTC