- From: Mark Watson <watsonm@netflix.com>
- Date: Mon, 17 Nov 2014 17:10:17 -0800
- To: Brad Hill <hillbrad@fb.com>
- Cc: Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEnTvdAtGTtq4dHATB5c6X1+27GAeLPT9aDeg30WSz+uMy3apQ@mail.gmail.com>
Hi Brad, Thanks. I am not so much concerned with standardization status right now as with getting feedback on and discussion of the idea. If it's a good idea (or becomes one with discussion) people will want to implement it and _then_ people will want to standardize it. So, I agree that a Last Call comment aimed at modification of the current spec is not the best way forward. Anne also posted a variation / alternative and we should also discuss that. In that idea MSE is made to work like @src on audio/video with respect to mixed content, by direct use of fetch() with mode "No CORS" instead of XHR. I'd be interested what everyone thinks of that approach ? If I understand your comments (2), (3) correctly, you mean that since SRI only handles the integrity component, allowing SRI-protected resources to escape mixed content blocking would be considered to be putting the whole browsing session into a different, less secure, state ("security context") than if no such mixed-content was present and the issue is then how to message this new to the user ? I wonder whether people think that the request integrity idea has any impact on this i.e. could that or a variation avoid the need for a new state ? ...Mark On Mon, Nov 17, 2014 at 3:08 PM, Brad Hill <hillbrad@fb.com> wrote: > Mark, > > We discussed this on our call today and consensus was that there are a > couple issues here to tease apart. > > 1) SRI can provide an assertion of the integrity of a resource load. We > should investigate enhancements to the algorithm to allow making these > assertions for streaming or otherwise incrementally or randomly accessing > content. I have created ISSUE-72 to track this. > https://www.w3.org/2011/webappsec/track/issues/72 > > 2) The assertion about integrity SRI enables is a component of the > overall input to the algorithms for Mixed Content, which has just entered > Last Call. The group would welcome additional comments here. Sections 5.2 > http://www.w3.org/TR/mixed-content/#should-block-fetch and 5.3 > http://www.w3.org/TR/mixed-content/#should-block-response may have > relevant inputs from the results of an SRI check. However, this would > likely result in a new state for the security context. > > 3) Whether to handle such a new state and what UI treatment to give it is > today at the discretion of the browsers. I think the group would consider > specifying it but: > (a) There is a poor history of such attempts at the W3C and > elsewhere. > UAs are reluctant to commit to such things. > (b) Especially given this history I would be hesitant to add it as > a new > feature at Last Call unless we have a commitment from at least one > implementor. Our charter requires two independent interoperable > implementations to advance beyond CR, so any addition would need to be > marked as AT RISK. > > > If you do wish to make a Last Call comment the group will be obligated to > formally address it. My sense of the consensus is that there is no > objection to at least further exploring it as a Level 2 feature. I don't > want to just churn the current spec and burn editor's time if there's no > practical chance of it advancing, so I think getting expressions of intent > from implementers would be the major factor to get something in before > that. > > Thanks, > > Brad Hill > > >
Received on Tuesday, 18 November 2014 01:10:44 UTC