Re: [SRI] require-sri-for: missing integrity metadata? same-origin loads? from Frederik Braun on 2016-09-12 (public-webappsec@w3.org from September 2016)

From: Frederik Braun <fbraun@mozilla.com>
Date: Mon, 12 Sep 2016 08:12:07 +0200
To: public-webappsec@w3.org
Message-ID: <b3c696db-d77d-11b5-e409-009b33ac2fd0@mozilla.com>

On 10.09.2016 01:23, Francois Marier wrote:
> This decision "require-sri" makes more-or-less unusable until SRI
> supports these extra mechanisms. That's OK given that nobody is using it
> now and that they can just wait until it's ready.

This isn't really a problem of the SRI spec[1]

Whoever invents MegaWorkers, should use fetch for their networking.
fetch requests have associated integrity metadata (which default to an
empty string) [2].
MegaWorkers has to figure out how fetch options should be passed on.

[1] But it is certainly a problem of the SRI editors. It is on us to
reach out to other spec authors about fetch options in their APIs.

[2] https://fetch.spec.whatwg.org/#requests

Received on Monday, 12 September 2016 06:12:38 UTC