W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 4 Nov 2014 20:55:50 -0800
Message-ID: <CAPfop_24ZtusMDYrijH+5BdvQ0HbT=ObSWH8z42rc1_9m1KfSQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org> 
> In order to avoid breaking the web, the default has to be MUST NOT, because
> SRI on non-secure origins has clear, well-known compatibility concerns due
> to middleboxes tampering with content. Before the working group could

re middleboxes: how about integrity values for resources fetched over
https? An http page could include a script from a third party server
via HTTPS. I don't understand what we achieve by ignoring the
integrity attribute there. The SRI is as secure as the page is.

-dev
Received on Wednesday, 5 November 2014 04:56:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC