W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Security / Technical feedback on subresource integrity specification

From: Mhano Harkness <mhano@deltalateral.com>
Date: Tue, 19 Jan 2016 12:36:26 +1100
Message-ID: <CANRpNNk2TULKzXfn93Px2ORwSaqOhCYjYMpmfmazDvu=WL3-TA@mail.gmail.com>
To: public-webappsec@w3.org
Hi,

In regards to the SRI specification. https://www.w3.org/TR/SRI/

It seems more guidance / specific features could be promoted to support the
secure fallback to local resources for legacy user agents.

User agents not supporting the specification will load resources without
checking their integrity. It may be possible to extend the specification in
some way (which remains compatible with the draft, current user agents that
support SRI and older user agents which don't).

Perhaps a future version could support something like the below (or some
other mechanisms to support graceful and secure fall back in case the CDN
is not available, the user agent doesn't understand the new directive,
etc.):

<link
         rel="stylesheet"
         href="https://www.localsite.net/style.css"
         *exhref*="https://www.cndsite.net/product/v1.9.36/style.css"
         integrity="sha384-HashOmittedForBrevity=="
         crossorigin="anonymous">

Best Regards,
Mhano Harkness
Received on Tuesday, 19 January 2016 13:59:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC