- From: Jim Manico <jim.manico@owasp.org>
- Date: Mon, 9 Feb 2015 07:58:38 +0100
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree, this is something that should be (obviously and easily) caught during development. Standards cannot protect the "bad developer" who skips basic Q/A. -- Jim Manico @Manicode (808) 652-3805 > On Feb 9, 2015, at 7:52 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > > Browser shouldn't try to detect a typo -- just warn in the developer > console that SRI is not enabled because it couldn't see any recognized > hash algorithm. Imagine if older CSP implementations borked on unknown > directives. > > --dev > >> On 8 February 2015 at 22:44, Brian Smith <brian@briansmith.org> wrote: >> Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >>> On the other hand, it is a reasonable position to adapt for a site >>> admin to say "we provide SRI protections if you are using a modern >>> browser that supports SRI with secure hash algorithms." This does >>> require the long tail of browsers to ignore algorithms it doesn't know >>> about. >> >> It's not clear what you are suggesting. How should a browser deal with >> the typo "sha265"? I think it should avoid loading the resource when >> there is such a typo. How can a browser detect a typo? It should >> assume all unrecognized algorithm names are typos unless explicitly >> instructed otherwise. >> >> Cheers, >> Brian >
Received on Monday, 9 February 2015 06:59:08 UTC