W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Minimum viable SRI?

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 29 Oct 2014 08:52:11 -0700
Message-ID: <CAEeYn8iWjRsSvhm5X1ppJWxvTVJ01D4A+e9CCO+2hxWwiWVfeg@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Great summary, thanks!

I don't think we eliminated all controversy here: <a download> will
still need some discussion, but I hope we've eliminated most of the
issues it didn't look like we could drive to consensus in a reasonable
time, and it may be easier to revisit those in the future with some
implementation experience and data.

-Brad

On Wed, Oct 29, 2014 at 5:07 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> On 29.10.2014 12:49, Mike West wrote:
>> It's not clear to me from the notes what the minimal subset is. Could
>> someone who was involved in the conversation sketch an outline of what
>> we'd keep and what we'd punt?
>
> * SRI has no per-hash caching
> * SRI will not relax mixed content
> * SRI requires the resource to be CORS-enabled or same-origin.
> * SRI for just script, style and possibly downloads. script being the
> priority. (i.e., no object, frame, etc. for now).
> * SRI will (for now) work only when used on authenticated origins. It
> appears to me that Mozilla's position was to have it work for
> unauthenticated origins as well, but we did not reach consensus.
> * Fallbacks: There was a lot of dislike for the "noncanonical-src" name.
> We also thought about src and fallback-src in the meeting. But I think
> the original idea was to have the default (src) to be the safe
> (on-origin) option, so an author can ensure the script is as intended
> (i.e. not from an untrusted CDN) if the user agent does not support SRI.
> So I propose src and integrity-src.
>
> * Reporting? I am not sure about this one.
> * What about multiple hashes for one resource?
>
>
>
> Please shout if something is not within the consensus we tried to
> achieve yesterday!
>
>
> Freddy
>
Received on Wednesday, 29 October 2014 15:52:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC