Browser shouldn't try to detect a typo -- just warn in the developer console that SRI is not enabled because it couldn't see any recognized hash algorithm. Imagine if older CSP implementations borked on unknown directives. --dev On 8 February 2015 at 22:44, Brian Smith <brian@briansmith.org> wrote: > Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> On the other hand, it is a reasonable position to adapt for a site >> admin to say "we provide SRI protections if you are using a modern >> browser that supports SRI with secure hash algorithms." This does >> require the long tail of browsers to ignore algorithms it doesn't know >> about. > > It's not clear what you are suggesting. How should a browser deal with > the typo "sha265"? I think it should avoid loading the resource when > there is such a typo. How can a browser detect a typo? It should > assume all unrecognized algorithm names are typos unless explicitly > instructed otherwise. > > Cheers, > BrianReceived on Monday, 9 February 2015 06:50:19 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC