- From: Brad Hill <hillbrad@gmail.com>
- Date: Wed, 29 Oct 2014 08:52:11 -0700
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Great summary, thanks! I don't think we eliminated all controversy here: <a download> will still need some discussion, but I hope we've eliminated most of the issues it didn't look like we could drive to consensus in a reasonable time, and it may be easier to revisit those in the future with some implementation experience and data. -Brad On Wed, Oct 29, 2014 at 5:07 AM, Frederik Braun <fbraun@mozilla.com> wrote: > On 29.10.2014 12:49, Mike West wrote: >> It's not clear to me from the notes what the minimal subset is. Could >> someone who was involved in the conversation sketch an outline of what >> we'd keep and what we'd punt? > > * SRI has no per-hash caching > * SRI will not relax mixed content > * SRI requires the resource to be CORS-enabled or same-origin. > * SRI for just script, style and possibly downloads. script being the > priority. (i.e., no object, frame, etc. for now). > * SRI will (for now) work only when used on authenticated origins. It > appears to me that Mozilla's position was to have it work for > unauthenticated origins as well, but we did not reach consensus. > * Fallbacks: There was a lot of dislike for the "noncanonical-src" name. > We also thought about src and fallback-src in the meeting. But I think > the original idea was to have the default (src) to be the safe > (on-origin) option, so an author can ensure the script is as intended > (i.e. not from an untrusted CDN) if the user agent does not support SRI. > So I propose src and integrity-src. > > * Reporting? I am not sure about this one. > * What about multiple hashes for one resource? > > > > Please shout if something is not within the consensus we tried to > achieve yesterday! > > > Freddy >
Received on Wednesday, 29 October 2014 15:52:40 UTC