Re: SRI fail open behaviour

On Wed, Aug 5, 2015 at 1:19 PM, Brad Hill <hillbrad@gmail.com> wrote:

> This goes back to some of the early design suggestions where we had things
> like src="safe_url" alt-src="CDN_url" alt-src-integrity="...".  We decided
> to cut those features for Level 1.  I'm not sure how requiring at least one
> valid hash recognized by an SRI-aware browser helps with the case where a
> website wants to send a different link for browsers that don't do SRI at
> all, or which don't recognize the algorithms chosen.
>

The server would send different links based on the User-Agent or similar,
based on its understanding of which UAs support SRI.

Cheers,
Brian

Received on Wednesday, 5 August 2015 17:26:13 UTC