W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Re: SRI spec Maintenance

From: Bertil Chapuis <bertil.chapuis@unil.ch>
Date: Tue, 2 Jul 2019 14:17:05 +0000
To: Frederik Braun <fbraun@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <506F87D1-F0D3-4806-91F7-55F045038E99@unil.ch>
Hello Freddy,

> On 2 Jul 2019, at 15:30, Frederik Braun <fbraun@mozilla.com> wrote:
> 
> I've noticed that my spec co-editors have all not been very active
> lately, so I wonder who'd be willing to help with reviews on pull
> request - most of them will be of editorial nature.

Last year, I briefly presented a study related to SRI at TPAC and proposed to extend the specification (as initially intended) to other HTML elements such as img, video, or a. At this time, I only had a little time to dedicate to this task, but since then I have been hired by the University of Lausanne to do web security research. Therefore, I would gladly help in any revision work associated with the SRI specification.

> 
> In this specific case, I have removed all references to
> `require-sri-for`, because both Firefox and Gecko intend to remove this
> from their browsers. See
> <https://github.com/w3c/webappsec-subresource-integrity/pull/82>

Regarding the require-sri-for header, we are monitoring its use on the Web and it occurs very rarely (0.0132% of webpages). Whereas it’s not widely used, don’t you think it introduce a nice separation of concerns between system administrators and web developer that could eventually help at increasing the adoption of the specification (2.55% of webpages are now including at least one SRI)?

Best regards,

Bertil

Received on Tuesday, 2 July 2019 14:48:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 2 July 2019 14:48:28 UTC