- From: Chris Palmer <palmer@google.com>
- Date: Mon, 5 Jan 2015 16:00:15 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 3:06 PM, Brad Hill <hillbrad@gmail.com> wrote: >> FWIW, if all the resources retrieved over HTTP were protected with >> sub-resource-integrity, then I think you have lost only some confidentiality >> and you still have integrity and authenticity. > > Unfortunately, it is worth very little. The motivating use case here is the > the ability to pull in arbitrary open data for use in mashups, so the > application cannot reasonably know in advance a secure digest value of the > content and any plausibly secure way to provide this metadata assumes much > more competence and effort on the part of the data providers than merely > offering the same resources over https. Furthermore, the client cannot programmatically distinguish OpenDataMashup.com from UnsafeEmailReader.com.
Received on Tuesday, 6 January 2015 00:00:42 UTC