W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 5 Nov 2014 09:45:30 +0100
Message-ID: <CADnb78hWJL9RqLd8VqLuWB9bf7Lfrq+Y5QSttNWsgm_ca=-2Uw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 5, 2014 at 5:29 AM, Brian Smith <brian@briansmith.org> wrote:
> But, unless/until somebody actually does that experiment, for "don't break
> the web" reasons alone, it makes sense to say that SRI MUST NOT be enforced
> only for non-HTTPS documents or non-HTTPS subresources.

To be clear, this is different from what Chrome does today. Per OP,
Chrome Canary blocks.

Received on Wednesday, 5 November 2014 08:45:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC