Re: [SRI] may only be used in documents in secure origins

> In order to avoid breaking the web, the default has to be MUST NOT, because
> SRI on non-secure origins has clear, well-known compatibility concerns due
> to middleboxes tampering with content. Before the working group could

re middleboxes: how about integrity values for resources fetched over
https? An http page could include a script from a third party server
via HTTPS. I don't understand what we achieve by ignoring the
integrity attribute there. The SRI is as secure as the page is.

-dev

Received on Wednesday, 5 November 2014 04:56:37 UTC