Re: SRI fail open behaviour from Brad Hill on 2015-08-05 (public-webappsec@w3.org from August 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 05 Aug 2015 17:42:06 +0000
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8hWynhJxMLDkFZOfnpHiyCSmB=6QdF8wy7xrbSMsy9MCQ@mail.gmail.com>

OK, but that doesn't mean we need a change of the behavior for handling
unknown tokens in the integrity attribute.

On Wed, Aug 5, 2015 at 10:25 AM Brian Smith <brian@briansmith.org> wrote:

> On Wed, Aug 5, 2015 at 1:19 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> This goes back to some of the early design suggestions where we had
>> things like src="safe_url" alt-src="CDN_url" alt-src-integrity="...".  We
>> decided to cut those features for Level 1.  I'm not sure how requiring at
>> least one valid hash recognized by an SRI-aware browser helps with the case
>> where a website wants to send a different link for browsers that don't do
>> SRI at all, or which don't recognize the algorithms chosen.
>>
>
> The server would send different links based on the User-Agent or similar,
> based on its understanding of which UAs support SRI.
>
> Cheers,
> Brian
>

Received on Wednesday, 5 August 2015 17:42:44 UTC