W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 12:57:24 -0800
Message-ID: <CAFewVt6wJ6nVq8AnDh0TeJPtR+5FHfuOJoy0h-m7+ZHPPm8gmg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 5, 2014 at 12:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Nov 5, 2014 at 5:29 AM, Brian Smith <brian@briansmith.org> wrote:
> > But, unless/until somebody actually does that experiment, for "don't
> break
> > the web" reasons alone, it makes sense to say that SRI MUST NOT be
> enforced
> > only for non-HTTPS documents or non-HTTPS subresources.
> To be clear, this is different from what Chrome does today. Per OP,
> Chrome Canary blocks.

Thanks! I indeed misunderstood OP. I am not sure that blocking is better or
worse than ignoring. However, I think my general point remains that SRI for
non-secure origins hasn't even been demonstrated to work, so it's premature
to try to standardize SRI for non-secure origins. And, it isn't reasonable
to expect Google to spend effort to prove that one way or another, so if
others want SRI for non-secure origins then they need to demonstrate that
it will not break the web, just like Google is doing with its experiments
with SRI for secure origins.

Received on Wednesday, 5 November 2014 20:57:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC