- From: Francois Marier <francois@mozilla.com>
- Date: Mon, 09 Feb 2015 14:55:06 +1300
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 08/02/15 20:00, Devdatta Akhawe wrote: > I still believe we should fail open and then go with the SSL style > deprecation Brad suggested. I do as well. I think of SRI as similar to CSP in the sense that it adds (integrity) protection for clients that support it, but it doesn't block clients that don't support it. Unsupported directives in CSP trigger a browser warning but don't block the whole page. This is unlike mechanisms like TLS where a web author essentially says that if the user agent doesn't support XYZ, then the connection should be closed. Francois
Received on Monday, 9 February 2015 01:55:41 UTC