Re: [SRI] may only be used in documents in secure origins from Brian Smith on 2014-11-05 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 12:57:24 -0800
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt6wJ6nVq8AnDh0TeJPtR+5FHfuOJoy0h-m7+ZHPPm8gmg@mail.gmail.com>

On Wed, Nov 5, 2014 at 12:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Nov 5, 2014 at 5:29 AM, Brian Smith <brian@briansmith.org> wrote:
> > But, unless/until somebody actually does that experiment, for "don't
> break
> > the web" reasons alone, it makes sense to say that SRI MUST NOT be
> enforced
> > only for non-HTTPS documents or non-HTTPS subresources.
>
> To be clear, this is different from what Chrome does today. Per OP,
> Chrome Canary blocks.
>

Thanks! I indeed misunderstood OP. I am not sure that blocking is better or
worse than ignoring. However, I think my general point remains that SRI for
non-secure origins hasn't even been demonstrated to work, so it's premature
to try to standardize SRI for non-secure origins. And, it isn't reasonable
to expect Google to spend effort to prove that one way or another, so if
others want SRI for non-secure origins then they need to demonstrate that
it will not break the web, just like Google is doing with its experiments
with SRI for secure origins.

Cheers,
Brian

Received on Wednesday, 5 November 2014 20:57:51 UTC