Re: Security / Technical feedback on subresource integrity specification

On 18/01/16 05:36 PM, Mhano Harkness wrote:
> Perhaps a future version could support something like the below (or some
> other mechanisms to support graceful and secure fall back in case the
> CDN is not available, the user agent doesn't understand the new
> directive, etc.):

One thing that was pointed out to me by one of the developers of a large
site is that the use of a CDN is not always optional. In their case, if
static resources were to fall back to the main webserver, it would bring
it to its knees.

Another point that was raised is that if you have two copies of a
resource (one on the CDN and one local), you need to ensure that they
are always in sync and that you test both.

Francois

Received on Wednesday, 20 January 2016 01:37:48 UTC