- From: Mhano Harkness <mhano@deltalateral.com>
- Date: Tue, 19 Jan 2016 12:36:26 +1100
- To: public-webappsec@w3.org
- Message-ID: <CANRpNNk2TULKzXfn93Px2ORwSaqOhCYjYMpmfmazDvu=WL3-TA@mail.gmail.com>
Hi,
In regards to the SRI specification. https://www.w3.org/TR/SRI/
It seems more guidance / specific features could be promoted to support the
secure fallback to local resources for legacy user agents.
User agents not supporting the specification will load resources without
checking their integrity. It may be possible to extend the specification in
some way (which remains compatible with the draft, current user agents that
support SRI and older user agents which don't).
Perhaps a future version could support something like the below (or some
other mechanisms to support graceful and secure fall back in case the CDN
is not available, the user agent doesn't understand the new directive,
etc.):
<link
rel="stylesheet"
href="https://www.localsite.net/style.css"
*exhref*="https://www.cndsite.net/product/v1.9.36/style.css"
integrity="sha384-HashOmittedForBrevity=="
crossorigin="anonymous">
Best Regards,
Mhano Harkness
Received on Tuesday, 19 January 2016 13:59:30 UTC