W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Francois Marier <francois@mozilla.com>
Date: Mon, 09 Feb 2015 14:55:06 +1300
Message-ID: <54D8137A.1070409@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 08/02/15 20:00, Devdatta Akhawe wrote:
> I still believe we should fail open and then go with the SSL style
> deprecation Brad suggested.

I do as well.

I think of SRI as similar to CSP in the sense that it adds (integrity)
protection for clients that support it, but it doesn't block clients
that don't support it. Unsupported directives in CSP trigger a browser
warning but don't block the whole page.

This is unlike mechanisms like TLS where a web author essentially says
that if the user agent doesn't support XYZ, then the connection should
be closed.

Francois
Received on Monday, 9 February 2015 01:55:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC