W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: SRI fail open behaviour

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Aug 2015 13:25:44 -0400
Message-ID: <CAFewVt7Of5pHGFmHeZeYOOJEQn92GkhbM=RXusR+Nnn4mLGAiQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 5, 2015 at 1:19 PM, Brad Hill <hillbrad@gmail.com> wrote:

> This goes back to some of the early design suggestions where we had things
> like src="safe_url" alt-src="CDN_url" alt-src-integrity="...".  We decided
> to cut those features for Level 1.  I'm not sure how requiring at least one
> valid hash recognized by an SRI-aware browser helps with the case where a
> website wants to send a different link for browsers that don't do SRI at
> all, or which don't recognize the algorithms chosen.
>

The server would send different links based on the User-Agent or similar,
based on its understanding of which UAs support SRI.

Cheers,
Brian
Received on Wednesday, 5 August 2015 17:26:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC