W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Comments on Subresource Integrity spec

From: Gervase Markham <gerv@mozilla.org>
Date: Tue, 12 May 2015 15:59:59 +0100
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <5552156F.7050005@mozilla.org>
On 12/05/15 00:37, Daniel Veditz wrote:
> Duplicating the information in the SRI spec rather than referencing CSP
> would be a valid choice but doesn't change the fact that when SHA-3 is
> adopted WASWG needs to specify how to reference it in one or both places.

Fair enough. No action, then.

> I agree with you that section 5.1 addresses a different issue, and that
> either the SRI or MIXED specs (or both) should be explicit on this point.

Great.

> ‚ÄčI tend to agree with you. If our baseline is sha-256 and at some point
> in the future it turns out to be weak it's still better to check it than
> not, and breaking historic pages ("secure" fail closed) is unreasonably
> punitive. We shouldn't support md5 or sha1, though, as it's not any
> harder for authors to generate sha-256.

Indeed. I'm not arguing that we should start by supporting broken
algorithms, but it seems strange to me to not check integrity metadata
for weaker algorithms, when there's no downside to doing so as the
default is just to load anyway.

Gerv
Received on Tuesday, 12 May 2015 15:00:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC