Re: [SRI] may only be used in documents in secure origins

On Tue, Nov 4, 2014 at 10:22 PM, Michal Zalewski <lcamtuf@coredump.cx>
wrote:

> If it's extra work, I don't think it makes sense. But it doesn't
> really add complexity to permit HTTP origins, right?
>

To the contrary it looks to me like it takes a few lines of additional code
to block the http scheme, see lines 90-103:
https://chromium.googlesource.com/chromium/blink/+/15bd7722d95ee0fd50887d84d75dff570569138b/Source/core/frame/SubresourceIntegrity.cpp#90

This is an interesting debate, even though I was the one to raise this
issue I do see merits to both sides of the issue. I think the hard fail is
a bit too much though, if you want to make a statement then log a console
message about it, this will annoy developers using http.

There are still a number of Google owned domains that do not allow HTTPS,
for example try https to a blogspot.com domain and you will get 302
redirected to http. Here's a good example:
https://googleonlinesecurity.blogspot.com/

HTTP/1.1 302 Moved Temporarily
Location: http://googleonlinesecurity.blogspot.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Nov 2014 21:37:43 GMT
Expires: Wed, 05 Nov 2014 21:37:43 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

Also note the use of security headers here :)

Received on Wednesday, 5 November 2014 21:48:48 UTC