- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 20 Nov 2014 14:00:01 -0800
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@chromium.org>, Hatter Jiang OWS <hatter@openwebsecurity.org>, Ben Toews <btoews@github.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 20, 2014 at 7:24 AM, Frederik Braun <fbraun@mozilla.com> wrote: >> "Brian Smith" <brian@briansmith.org> >> ... With this in mind, I am surprised that the >> current editor's draft cut out support for stylesheets ... > > Styles are actually included. > > The current editor's draft is not yet inline with my previous work towards the minimum viable SRI - the markdown file is updated whereas the HTML is not (and that's my fault). I'm currently out of office, so I'll promise to fix this tomorrow morning (CET), unless someone beats me to it (*winking at the co-editors*). Great! Which of the use cases are going to get cut for the MVP? IMO, all of the following could get cut, to leave just the CDN use case, and you'd still end up with a very good result: * "An author wants to include JavaScript provided by a third-party analytics service on her site." I agree this is a problem; I'm not sure SRI is likely to be a practical solution for it, because the third-party analytics service wants to be able to update the code when it wants to, and is unlikely to provide URLs to unchanging versions of the script. * "A user agent wishes to ensure that pieces of its UI which are rendered via HTML (for example, Chrome's New Tab Page) aren't manipulated before display." This doesn't seem like an MVP type issue to me. * "The author of a mash-up wants to make sure her creation remains in a working state." I don't understand this one very well. Is it really necessary for the MVP? Cheers, Brian
Received on Thursday, 20 November 2014 22:00:29 UTC