W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: CfC: Subresource Integrity (SRI) to Last Call?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 6 May 2015 18:52:36 +0200
Message-ID: <CADnb78gwngsFO+CR9iRt9PaDBHz-Mwfqy01qDkyM8o12nVDuKQ@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 6, 2015 at 2:23 PM, Frederik Braun <fbraun@mozilla.com> wrote:
> Instead, Subresource Integrity is now asking for "Wide Review".
>
> Please share the latest revision of the Subresource Integrity working
> draft widely. Any feedback now can safe us work in the future :-)
>
> http://w3c.github.io/webappsec/specs/subresourceintegrity/

I find it hard to review while you have not tackled Fetch integration.
That would make all logic apparent. The idea of integrity failing and
<script> having to check for that seems insane. It should fail
directly at the network layer without the ability for <script> to even
have to think about it.

I filed an issue for this which you classified as an editorial nit,
but I would like to see this addressed since it would impact the
structure of the specification quite a bit and would make the security
much more tightly coupled than it is now:

  https://github.com/w3c/webappsec/issues/238


-- 
https://annevankesteren.nl/
Received on Wednesday, 6 May 2015 16:53:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC