- From: Frederik Braun <fbraun@mozilla.com>
- Date: Wed, 29 Oct 2014 13:07:40 +0100
- To: public-webappsec@w3.org
On 29.10.2014 12:49, Mike West wrote: > It's not clear to me from the notes what the minimal subset is. Could > someone who was involved in the conversation sketch an outline of what > we'd keep and what we'd punt? * SRI has no per-hash caching * SRI will not relax mixed content * SRI requires the resource to be CORS-enabled or same-origin. * SRI for just script, style and possibly downloads. script being the priority. (i.e., no object, frame, etc. for now). * SRI will (for now) work only when used on authenticated origins. It appears to me that Mozilla's position was to have it work for unauthenticated origins as well, but we did not reach consensus. * Fallbacks: There was a lot of dislike for the "noncanonical-src" name. We also thought about src and fallback-src in the meeting. But I think the original idea was to have the default (src) to be the safe (on-origin) option, so an author can ensure the script is as intended (i.e. not from an untrusted CDN) if the user agent does not support SRI. So I propose src and integrity-src. * Reporting? I am not sure about this one. * What about multiple hashes for one resource? Please shout if something is not within the consensus we tried to achieve yesterday! Freddy
Received on Wednesday, 29 October 2014 12:08:09 UTC