W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 12:59:22 -0800
Message-ID: <CAFewVt5qdekgwTvZNFi9Z6wcjOZGef-WGW8qObq=7qtPKaassA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Chris Palmer <palmer@google.com>, Joel Weinberger <jww@chromium.org>, Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> > In order to avoid breaking the web, the default has to be MUST NOT,
> because
> > SRI on non-secure origins has clear, well-known compatibility concerns
> due
> > to middleboxes tampering with content. Before the working group could
> re middleboxes: how about integrity values for resources fetched over
> https? An http page could include a script from a third party server
> via HTTPS. I don't understand what we achieve by ignoring the
> integrity attribute there. The SRI is as secure as the page is.

Good point. I agree that is likely to be less problematic than the case of
SRI on a non-HTTPS resource. But, I think that it still needs to be
demonstrated to work.

Received on Wednesday, 5 November 2014 20:59:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC