Re: [SRI] Escaping mixed-content blocking for video distribution from Brad Hill on 2014-11-17 (public-webappsec@w3.org from November 2014)

From: Brad Hill <hillbrad@fb.com>
Date: Mon, 17 Nov 2014 23:08:32 +0000
To: Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>
CC: Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D08FBA9F.116F%hillbrad@fb.com>

Mark,

 We discussed this on our call today and consensus was that there are a
couple issues here to tease apart.

 1) SRI can provide an assertion of the integrity of a resource load.  We
should investigate enhancements to the algorithm to allow making these
assertions for streaming or otherwise incrementally or randomly accessing
content.  I have created ISSUE-72 to track this.
https://www.w3.org/2011/webappsec/track/issues/72

 
 2) The assertion about integrity SRI enables is a component of the
overall input to the algorithms for Mixed Content, which has just entered
Last Call. The group would welcome additional comments here.  Sections 5.2
http://www.w3.org/TR/mixed-content/#should-block-fetch and 5.3
http://www.w3.org/TR/mixed-content/#should-block-response may have
relevant inputs from the results of an SRI check.  However, this would
likely result in a new state for the security context.

 3) Whether to handle such a new state and what UI treatment to give it is
today at the discretion of the browsers.  I think the group would consider
specifying it but: 
 (a) There is a poor history of such attempts at the W3C and elsewhere.
UAs are reluctant to commit to such things.
 (b) Especially given this history I would be hesitant to add it as a new
feature at Last Call unless we have a commitment from at least one
implementor. Our charter requires two independent interoperable
implementations to advance beyond CR, so any addition would need to be
marked as AT RISK. 


If you do wish to make a Last Call comment the group will be obligated to
formally address it. My sense of the consensus is that there is no
objection to at least further exploring it as a Level 2 feature.   I don't
want to just churn the current spec and burn editor's time if there's no
practical chance of it advancing, so I think getting expressions of intent
from implementers would be the major factor to get something in before
that.

Thanks,

Brad Hill

Received on Monday, 17 November 2014 23:08:58 UTC