Re: [SRI] unsupported hashes and invalid metadata

Browser shouldn't try to detect a typo -- just warn in the developer
console that SRI is not enabled because it couldn't see any recognized
hash algorithm. Imagine if older CSP implementations borked on unknown


On 8 February 2015 at 22:44, Brian Smith <> wrote:
> Devdatta Akhawe <> wrote:
>> On the other hand, it is a reasonable position to adapt for a site
>> admin to say "we provide SRI protections if you are using a modern
>> browser that supports SRI with secure hash algorithms." This does
>> require the long tail of browsers to ignore algorithms it doesn't know
>> about.
> It's not clear what you are suggesting. How should a browser deal with
> the typo "sha265"? I think it should avoid loading the resource when
> there is such a typo. How can a browser detect a typo? It should
> assume all unrecognized algorithm names are typos unless explicitly
> instructed otherwise.
> Cheers,
> Brian

Received on Monday, 9 February 2015 06:50:19 UTC