W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Comments on Subresource Integrity spec

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 18 May 2015 08:33:35 -0700
Message-ID: <CAPfop_1k=qJPL++xcD95kK4Jspnr4UgCHLRq_izubkec7-q4bg@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Joel Weinberger <jww@chromium.org>, public-webappsec@w3.org
I thought the MAY gave flexibility to UAs. Does it not?
On May 18, 2015 6:16 AM, "Gervase Markham" <gerv@mozilla.org> wrote:

On 17/05/15 08:51, Devdatta Akhawe wrote:
> "User agents MAY deprecate support (by blocking loads) for integrity
> validation using hash functions deemed insecure. Web application authors
> SHOULD update integrity metadata to remove use of insecure hash

No problem with the second sentence. The first seems fairly specific; I
thought you were arguing for flexibility in how UAs handle "deprecation"?

Received on Monday, 18 May 2015 15:34:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC