- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sat, 3 Jan 2015 12:46:48 -0800
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> 1. <script integrity="ni:///sha-512;foo"> for a modern browser that no > longer considers that hash algorithm secure > > 2. <script integrity="ni:///sha-1024;foo"> for an older browser that > doesn't know about this new hash algorithm > > I think you're suggesting we fail open (for a time anyways) in the first > case by keeping a list of known-but-no-longer-trusted hash algorithms. I > can draft a pull request for this. Do we really need to spec the first case? I think we should leave it to UAs to decide what is best for their users. cheers Dev
Received on Saturday, 3 January 2015 20:47:34 UTC