W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 8 Feb 2015 22:01:42 -0800
Message-ID: <CAPfop_0BBYansfYRSp21x2aBj=48XA1_AdPyzDdvz1yQ7LBC0A@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
That would mean that for the long tail, site admins will have to
implement each hash algorithm for each and every resource or do UA
detection and send appropriate hashes down the wire. Both sound like
horrible solutions.

On the other hand, it is a reasonable position to adapt for a site
admin to say "we provide SRI protections if you are using a modern
browser that supports SRI with secure hash algorithms." This does
require the long tail of browsers to ignore algorithms it doesn't know
about.

cheers
Dev


On 8 February 2015 at 21:56, Brian Smith <brian@briansmith.org> wrote:
> Francois Marier <francois@mozilla.com> wrote:
>> What should we do for completely unknown hash algorithms? (i.e. case 2
>> with old browsers) Dev suggested that perhaps failing open is the only
>> sane way to let site admins support the long tail of browsers.
>
> Site admins could support the long tail of browsers by specifying
> multiple digests such as integrity="sha256:ABC sha3-512:ABC". Older
> browsers that don't implement sha3-512 would still enforce the
> sha256:ABC digest. A newer browser that doesn't consider (SHA-2)
> sha256 secure but which supports sha3-512 would enforce the sha3-512
> digest.
>
> Cheers,
> Brian
>
Received on Monday, 9 February 2015 06:02:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC