Re: [SRI] may only be used in documents in secure origins

Devdatta Akhawe <> wrote:

> > In order to avoid breaking the web, the default has to be MUST NOT,
> because
> > SRI on non-secure origins has clear, well-known compatibility concerns
> due
> > to middleboxes tampering with content. Before the working group could
> re middleboxes: how about integrity values for resources fetched over
> https? An http page could include a script from a third party server
> via HTTPS. I don't understand what we achieve by ignoring the
> integrity attribute there. The SRI is as secure as the page is.

Good point. I agree that is likely to be less problematic than the case of
SRI on a non-HTTPS resource. But, I think that it still needs to be
demonstrated to work.


Received on Wednesday, 5 November 2014 20:59:49 UTC