W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Security / Technical feedback on subresource integrity specification

From: Francois Marier <francois@mozilla.com>
Date: Tue, 19 Jan 2016 17:37:17 -0800
To: public-webappsec@w3.org
Message-ID: <569EE4CD.8040401@mozilla.com>
On 18/01/16 05:36 PM, Mhano Harkness wrote:
> Perhaps a future version could support something like the below (or some
> other mechanisms to support graceful and secure fall back in case the
> CDN is not available, the user agent doesn't understand the new
> directive, etc.):

One thing that was pointed out to me by one of the developers of a large
site is that the use of a CDN is not always optional. In their case, if
static resources were to fall back to the main webserver, it would bring
it to its knees.

Another point that was raised is that if you have two copies of a
resource (one on the CDN and one local), you need to ensure that they
are always in sync and that you test both.

Francois
Received on Wednesday, 20 January 2016 01:37:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC