Re: [SRI] may only be used in documents in secure origins from Brian Smith on 2014-11-05 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 12:59:22 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt5qdekgwTvZNFi9Z6wcjOZGef-WGW8qObq=7qtPKaassA@mail.gmail.com>

Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> > In order to avoid breaking the web, the default has to be MUST NOT,
> because
> > SRI on non-secure origins has clear, well-known compatibility concerns
> due
> > to middleboxes tampering with content. Before the working group could
>
> re middleboxes: how about integrity values for resources fetched over
> https? An http page could include a script from a third party server
> via HTTPS. I don't understand what we achieve by ignoring the
> integrity attribute there. The SRI is as secure as the page is.
>

Good point. I agree that is likely to be less problematic than the case of
SRI on a non-HTTPS resource. But, I think that it still needs to be
demonstrated to work.

Cheers,
Brian

Received on Wednesday, 5 November 2014 20:59:49 UTC