W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Comments on Subresource Integrity spec

From: Joel Weinberger <jww@chromium.org>
Date: Tue, 19 May 2015 08:22:26 +1000
Message-ID: <CAHQV2KnoPbrtnsWVXvags5C1Lm8g59RaSrjmV=QAxUOSEVt1Ow@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Gervase Markham <gerv@mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
"MAY" certainly covers the plans for our implementation, so it works for
me. I'd like to know, though, if any UA actually plans not to follow this
directive. If not, than I don't really see the point of a "MAY" vs "SHOULD"
or "MUST." But, yeah, I'm fine with this in any case.
--Joel

PS: I'm on vacation until next week, so I'll be quite slow to respond at
times. My apologies!

On Tue, May 19, 2015 at 5:29 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> Given that there is some disagreement about this, I don't think we gain
> anything by asserting that. As I mentioned, I can imagine a UA doing this
> to encourage migration.
>
> On 18 May 2015 at 08:39, Gervase Markham <gerv@mozilla.org> wrote:
>
>> On 18/05/15 16:33, Devdatta Akhawe wrote:
>> > I thought the MAY gave flexibility to UAs. Does it not?
>>
>> It does; but I always think that when a spec says "MAY", it means a bit
>> more than "You MAY consider the moon to be made of green cheese"; i.e.
>> there are circumstances where the MAY might be a good idea. I'm not sure
>> I can think of any circumstances where a UA would decide to block loads
>> due to out-of-date integrity hash algorithms, given that the
>> no-integrity behaviour is to load regardless.
>>
>> Gerv
>>
>
>
Received on Monday, 18 May 2015 22:22:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC