W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: Comments on Subresource integrity

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 18 May 2015 12:27:34 -0700
Message-ID: <CAPfop_2zXmdhBvngDodcH9KcYz-y6Rs1RPw7A-JWR57yeHLcmw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hey Watson

thanks for the email. I filed bugs for 1 and 2. They seem like easy fixes
and we will get to them soon.
https://github.com/w3c/webappsec/issues/366
https://github.com/w3c/webappsec/issues/367

Re point 3: I am not a fan of the spec (which changes slowly) defining
priority. I think we should leave this flexibility to UAs instead of
mandating priority of hash functions.


cheers
Dev


On 16 May 2015 at 10:01, Watson Ladd <watsonbladd@gmail.com> wrote:

> Dear all,
>
> I have several comments on the draft.
>
> 1: The draft does not define how to parse tokens, only split a list of
> tokens on spaces. It's clear from examples what is meant, but this
> should be made explicit.
>
> 2: There does not appear a way to specify multiple hashes with the
> same algorithm. This may be useful in load-balancer situations where a
> phased rollout  may mean some requests return different data from
> others.
>
> 3: Permitting user agents to indicate priority in mutually
> incompatible ways is not as good as specifying one useful way. The
> best way is probably a comparison function.
>
> Sincerely,
> Watson Ladd
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>
>
>
Received on Monday, 18 May 2015 19:28:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC