W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: SRI: <a> vs integrity

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 04 Sep 2014 22:31:20 +0200
Message-ID: <5408CC18.6080101@gmx.de>
To: Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>
CC: "Hill, Brad" <bhill@paypal.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2014-07-29 02:13, Chris Palmer wrote:
> ...
> The run-time provable, run-time enforceable way is for sites to serve
> download pages and the downloaded files themselves via HTTPS with
> valid certificates, and then to make use of (for code downloads)
> whatever code-signing mechanism the destination platform provides
> (every platform provides some kind of code authentication now).
> ...

1) This defeats public caching.

2) It also doesn't help with many types of downloads, such as source 
archives.

Best regards, Julian
Received on Thursday, 4 September 2014 20:32:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC