- From: Gervase Markham <gerv@mozilla.org>
- Date: Tue, 12 May 2015 15:59:59 +0100
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 12/05/15 00:37, Daniel Veditz wrote: > Duplicating the information in the SRI spec rather than referencing CSP > would be a valid choice but doesn't change the fact that when SHA-3 is > adopted WASWG needs to specify how to reference it in one or both places. Fair enough. No action, then. > I agree with you that section 5.1 addresses a different issue, and that > either the SRI or MIXED specs (or both) should be explicit on this point. Great. > I tend to agree with you. If our baseline is sha-256 and at some point > in the future it turns out to be weak it's still better to check it than > not, and breaking historic pages ("secure" fail closed) is unreasonably > punitive. We shouldn't support md5 or sha1, though, as it's not any > harder for authors to generate sha-256. Indeed. I'm not arguing that we should start by supporting broken algorithms, but it seems strange to me to not check integrity metadata for weaker algorithms, when there's no downside to doing so as the default is just to load anyway. Gerv
Received on Tuesday, 12 May 2015 15:00:28 UTC