W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] To trust or not to trust a CDN

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 5 Nov 2014 20:35:09 -0800
Message-ID: <CAPfop_1u8Hn-X6vS5c0M4AkUD5Wj_+hyMv_aofFE7s5umaRpkg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Joel Weinberger <jww@chromium.org>, Hatter Jiang OWS <hatter@openwebsecurity.org>, Ben Toews <btoews@github.com>, Mike West <mkwst@google.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I agree that that would be good, and that's exactly what would have happened
> if Frederik hadn't pointed out this issue before SRI were standardized. But,
> since we know about the issue now, I think it is reasonable to consider
> changes to the syntax that avoid the problem now, so that we don't end up
> with a bad syntax later.

I guess I see the header (in CSP or separate SRI header) mechanism as
something that can be easily added on later. Is there a particular
part of the current syntax that makes you think it won't be possible
to evolve the direction you envision?

Received on Thursday, 6 November 2014 04:35:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC