W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Brian Smith <brian@briansmith.org>
Date: Sun, 8 Feb 2015 22:44:29 -0800
Message-ID: <CAFewVt4fQtrhXGVfb-ke7UTvs8SZ6-bcR41NtM7yOMo65=OaHQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> On the other hand, it is a reasonable position to adapt for a site
> admin to say "we provide SRI protections if you are using a modern
> browser that supports SRI with secure hash algorithms." This does
> require the long tail of browsers to ignore algorithms it doesn't know
> about.

It's not clear what you are suggesting. How should a browser deal with
the typo "sha265"? I think it should avoid loading the resource when
there is such a typo. How can a browser detect a typo? It should
assume all unrecognized algorithm names are typos unless explicitly
instructed otherwise.

Received on Monday, 9 February 2015 06:44:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC