W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Minimum viable SRI?

From: Frederik Braun <fbraun@mozilla.com>
Date: Wed, 29 Oct 2014 13:07:40 +0100
Message-ID: <5450D88C.5040500@mozilla.com>
To: public-webappsec@w3.org
On 29.10.2014 12:49, Mike West wrote:
> It's not clear to me from the notes what the minimal subset is. Could
> someone who was involved in the conversation sketch an outline of what
> we'd keep and what we'd punt?

* SRI has no per-hash caching
* SRI will not relax mixed content
* SRI requires the resource to be CORS-enabled or same-origin.
* SRI for just script, style and possibly downloads. script being the
priority. (i.e., no object, frame, etc. for now).
* SRI will (for now) work only when used on authenticated origins. It
appears to me that Mozilla's position was to have it work for
unauthenticated origins as well, but we did not reach consensus.
* Fallbacks: There was a lot of dislike for the "noncanonical-src" name.
We also thought about src and fallback-src in the meeting. But I think
the original idea was to have the default (src) to be the safe
(on-origin) option, so an author can ensure the script is as intended
(i.e. not from an untrusted CDN) if the user agent does not support SRI.
So I propose src and integrity-src.

* Reporting? I am not sure about this one.
* What about multiple hashes for one resource?

Please shout if something is not within the consensus we tried to
achieve yesterday!

Received on Wednesday, 29 October 2014 12:08:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC