W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 8 Feb 2015 22:49:32 -0800
Message-ID: <CAPfop_0Zg-AY1un8+xY3_kPbtd4kdWYcfr1Uf1YHUhe=N1SVLw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Browser shouldn't try to detect a typo -- just warn in the developer
console that SRI is not enabled because it couldn't see any recognized
hash algorithm. Imagine if older CSP implementations borked on unknown
directives.

--dev

On 8 February 2015 at 22:44, Brian Smith <brian@briansmith.org> wrote:
> Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> On the other hand, it is a reasonable position to adapt for a site
>> admin to say "we provide SRI protections if you are using a modern
>> browser that supports SRI with secure hash algorithms." This does
>> require the long tail of browsers to ignore algorithms it doesn't know
>> about.
>
> It's not clear what you are suggesting. How should a browser deal with
> the typo "sha265"? I think it should avoid loading the resource when
> there is such a typo. How can a browser detect a typo? It should
> assume all unrecognized algorithm names are typos unless explicitly
> instructed otherwise.
>
> Cheers,
> Brian
Received on Monday, 9 February 2015 06:50:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC