[SRI] Re: Security / Technical feedback on subresource integrity specification from Frederik Braun on 2016-01-19 (public-webappsec@w3.org from January 2016)

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 19 Jan 2016 15:33:05 +0100
To: public-webappsec@w3.org
Message-ID: <569E4921.5080003@mozilla.com>

We've been thinking about fallbacks in the past, but omitted it for
progress's sake in SRI v1.

If you want to see a list of things we did not end up doing for version
1, you may want to take a look at our first public working draft from
2014 and the 'noncanonical-src' attribute in particular:

https://www.w3.org/TR/2014/WD-SRI-20140318/#the-noncanonical-src-attribute-todo-1



On 19.01.2016 02:36, Mhano Harkness wrote:
> Hi,
> 
> In regards to the SRI specification.. https://www.w3.org/TR/SRI/
> 
> It seems more guidance / specific features could be promoted to support
> the secure fallback to local resources for legacy user agents.
> 
> User agents not supporting the specification will load resources without
> checking their integrity. It may be possible to extend the specification
> in some way (which remains compatible with the draft, current user
> agents that support SRI and older user agents which don't).
> 
> Perhaps a future version could support something like the below (or some
> other mechanisms to support graceful and secure fall back in case the
> CDN is not available, the user agent doesn't understand the new
> directive, etc.):
> 
> <link
>          rel="stylesheet"
>          href="https://www.localsite.net/style.css"
>          *exhref*="https://www.cndsite.net/product/v1.9.36/style.css"
>          integrity="sha384-HashOmittedForBrevity=="
>          crossorigin="anonymous">
> 
> Best Regards,
> Mhano Harkness
>

Received on Tuesday, 19 January 2016 14:33:36 UTC