On Wed, Nov 5, 2014 at 12:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Wed, Nov 5, 2014 at 5:29 AM, Brian Smith <brian@briansmith.org> wrote:
> > But, unless/until somebody actually does that experiment, for "don't
> break
> > the web" reasons alone, it makes sense to say that SRI MUST NOT be
> enforced
> > only for non-HTTPS documents or non-HTTPS subresources.
>
> To be clear, this is different from what Chrome does today. Per OP,
> Chrome Canary blocks.
>
Thanks! I indeed misunderstood OP. I am not sure that blocking is better or
worse than ignoring. However, I think my general point remains that SRI for
non-secure origins hasn't even been demonstrated to work, so it's premature
to try to standardize SRI for non-secure origins. And, it isn't reasonable
to expect Google to spend effort to prove that one way or another, so if
others want SRI for non-secure origins then they need to demonstrate that
it will not break the web, just like Google is doing with its experiments
with SRI for secure origins.
Cheers,
Brian