Browser shouldn't try to detect a typo -- just warn in the developer console that SRI is not enabled because it couldn't see any recognized hash algorithm. Imagine if older CSP implementations borked on unknown directives. --dev On 8 February 2015 at 22:44, Brian Smith <brian@briansmith.org> wrote: > Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> On the other hand, it is a reasonable position to adapt for a site >> admin to say "we provide SRI protections if you are using a modern >> browser that supports SRI with secure hash algorithms." This does >> require the long tail of browsers to ignore algorithms it doesn't know >> about. > > It's not clear what you are suggesting. How should a browser deal with > the typo "sha265"? I think it should avoid loading the resource when > there is such a typo. How can a browser detect a typo? It should > assume all unrecognized algorithm names are typos unless explicitly > instructed otherwise. > > Cheers, > BrianReceived on Monday, 9 February 2015 06:50:19 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC