[SRI] Re: Security / Technical feedback on subresource integrity specification

We've been thinking about fallbacks in the past, but omitted it for
progress's sake in SRI v1.

If you want to see a list of things we did not end up doing for version
1, you may want to take a look at our first public working draft from
2014 and the 'noncanonical-src' attribute in particular:


On 19.01.2016 02:36, Mhano Harkness wrote:
> Hi,
> In regards to the SRI specification.. https://www.w3.org/TR/SRI/
> It seems more guidance / specific features could be promoted to support
> the secure fallback to local resources for legacy user agents.
> User agents not supporting the specification will load resources without
> checking their integrity. It may be possible to extend the specification
> in some way (which remains compatible with the draft, current user
> agents that support SRI and older user agents which don't).
> Perhaps a future version could support something like the below (or some
> other mechanisms to support graceful and secure fall back in case the
> CDN is not available, the user agent doesn't understand the new
> directive, etc.):
> <link
>          rel="stylesheet"
>          href="https://www.localsite.net/style.css"
>          *exhref*="https://www.cndsite.net/product/v1.9.36/style.css"
>          integrity="sha384-HashOmittedForBrevity=="
>          crossorigin="anonymous">
> Best Regards,
> Mhano Harkness

Received on Tuesday, 19 January 2016 14:33:36 UTC