W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 9 Feb 2015 07:58:38 +0100
Message-ID: <-7397924247887423175@unknownmsgid>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree, this is something that should be (obviously and easily)
caught during development. Standards cannot protect the "bad
developer" who skips basic Q/A.
--
Jim Manico
@Manicode
(808) 652-3805

> On Feb 9, 2015, at 7:52 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>
> Browser shouldn't try to detect a typo -- just warn in the developer
> console that SRI is not enabled because it couldn't see any recognized
> hash algorithm. Imagine if older CSP implementations borked on unknown
> directives.
>
> --dev
>
>> On 8 February 2015 at 22:44, Brian Smith <brian@briansmith.org> wrote:
>> Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> On the other hand, it is a reasonable position to adapt for a site
>>> admin to say "we provide SRI protections if you are using a modern
>>> browser that supports SRI with secure hash algorithms." This does
>>> require the long tail of browsers to ignore algorithms it doesn't know
>>> about.
>>
>> It's not clear what you are suggesting. How should a browser deal with
>> the typo "sha265"? I think it should avoid loading the resource when
>> there is such a typo. How can a browser detect a typo? It should
>> assume all unrecognized algorithm names are typos unless explicitly
>> instructed otherwise.
>>
>> Cheers,
>> Brian
>
Received on Monday, 9 February 2015 06:59:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC