W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] To trust or not to trust a CDN

From: Brian Smith <brian@briansmith.org>
Date: Thu, 20 Nov 2014 14:00:01 -0800
Message-ID: <CAFewVt5UwQ=ma4evLfcEDXu+F2Eni32q1xZF4LSaRCBCwHjwZg@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@chromium.org>, Hatter Jiang OWS <hatter@openwebsecurity.org>, Ben Toews <btoews@github.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 20, 2014 at 7:24 AM, Frederik Braun <fbraun@mozilla.com> wrote:
>> "Brian Smith" <brian@briansmith.org>
>> ... With this in mind, I am surprised that the
>> current editor's draft cut out support for stylesheets ...
>
> Styles are actually included.
>
> The current editor's draft is not yet inline with my previous work towards the minimum viable SRI - the markdown file is updated whereas the HTML is not (and that's my fault). I'm currently out of office, so I'll promise to fix this tomorrow morning (CET), unless someone beats me to it (*winking at the co-editors*).

Great! Which of the use cases are going to get cut for the MVP? IMO,
all of the following could get cut, to leave just the CDN use case,
and you'd still end up with a very good result:

* "An author wants to include JavaScript provided by a third-party
analytics service on her site." I agree this is a problem; I'm not
sure SRI is likely to be a practical solution for it, because the
third-party analytics service wants to be able to update the code when
it wants to, and is unlikely to provide URLs to unchanging versions of
the script.

* "A user agent wishes to ensure that pieces of its UI which are
rendered via HTML (for example, Chrome's New Tab Page) aren't
manipulated before display." This doesn't seem like an MVP type issue
to me.

* "The author of a mash-up wants to make sure her creation remains in
a working state." I don't understand this one very well. Is it really
necessary for the MVP?

Cheers,
Brian
Received on Thursday, 20 November 2014 22:00:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC