- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 8 Feb 2015 22:49:32 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Browser shouldn't try to detect a typo -- just warn in the developer console that SRI is not enabled because it couldn't see any recognized hash algorithm. Imagine if older CSP implementations borked on unknown directives. --dev On 8 February 2015 at 22:44, Brian Smith <brian@briansmith.org> wrote: > Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> On the other hand, it is a reasonable position to adapt for a site >> admin to say "we provide SRI protections if you are using a modern >> browser that supports SRI with secure hash algorithms." This does >> require the long tail of browsers to ignore algorithms it doesn't know >> about. > > It's not clear what you are suggesting. How should a browser deal with > the typo "sha265"? I think it should avoid loading the resource when > there is such a typo. How can a browser detect a typo? It should > assume all unrecognized algorithm names are typos unless explicitly > instructed otherwise. > > Cheers, > Brian
Received on Monday, 9 February 2015 06:50:19 UTC