W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sat, 3 Jan 2015 12:46:48 -0800
Message-ID: <CAPfop_365pyqUTybHgwQ-93UpXEwyJb9q4GHEgXp=ahHZHrAUg@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> 1. <script integrity="ni:///sha-512;foo"> for a modern browser that no
> longer considers that hash algorithm secure
> 2. <script integrity="ni:///sha-1024;foo"> for an older browser that
> doesn't know about this new hash algorithm
> I think you're suggesting we fail open (for a time anyways) in the first
> case by keeping a list of known-but-no-longer-trusted hash algorithms. I
> can draft a pull request for this.

Do we really need to spec the first case? I think we should leave it
to UAs to decide what is best for their users.

Received on Saturday, 3 January 2015 20:47:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC