W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sat, 3 Jan 2015 12:46:48 -0800
Message-ID: <CAPfop_365pyqUTybHgwQ-93UpXEwyJb9q4GHEgXp=ahHZHrAUg@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> 1. <script integrity="ni:///sha-512;foo"> for a modern browser that no
> longer considers that hash algorithm secure
>
> 2. <script integrity="ni:///sha-1024;foo"> for an older browser that
> doesn't know about this new hash algorithm
>
> I think you're suggesting we fail open (for a time anyways) in the first
> case by keeping a list of known-but-no-longer-trusted hash algorithms. I
> can draft a pull request for this.

Do we really need to spec the first case? I think we should leave it
to UAs to decide what is best for their users.

cheers
Dev
Received on Saturday, 3 January 2015 20:47:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC