- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 8 Feb 2015 22:01:42 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
That would mean that for the long tail, site admins will have to implement each hash algorithm for each and every resource or do UA detection and send appropriate hashes down the wire. Both sound like horrible solutions. On the other hand, it is a reasonable position to adapt for a site admin to say "we provide SRI protections if you are using a modern browser that supports SRI with secure hash algorithms." This does require the long tail of browsers to ignore algorithms it doesn't know about. cheers Dev On 8 February 2015 at 21:56, Brian Smith <brian@briansmith.org> wrote: > Francois Marier <francois@mozilla.com> wrote: >> What should we do for completely unknown hash algorithms? (i.e. case 2 >> with old browsers) Dev suggested that perhaps failing open is the only >> sane way to let site admins support the long tail of browsers. > > Site admins could support the long tail of browsers by specifying > multiple digests such as integrity="sha256:ABC sha3-512:ABC". Older > browsers that don't implement sha3-512 would still enforce the > sha256:ABC digest. A newer browser that doesn't consider (SHA-2) > sha256 secure but which supports sha3-512 would enforce the sha3-512 > digest. > > Cheers, > Brian >
Received on Monday, 9 February 2015 06:02:29 UTC