W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Re: SRI spec Maintenance

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 2 Jul 2019 16:50:45 +0200
To: Bertil Chapuis <bertil.chapuis@unil.ch>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <8066362f-fad3-eca4-8094-c72ffbaccf91@mozilla.com>


Am 02.07.19 um 16:17 schrieb Bertil Chapuis:
> Hello Freddy,
> 
>> On 2 Jul 2019, at 15:30, Frederik Braun <fbraun@mozilla.com> wrote:
>>
>> I've noticed that my spec co-editors have all not been very active
>> lately, so I wonder who'd be willing to help with reviews on pull
>> request - most of them will be of editorial nature.
> 
> Last year, I briefly presented a study related to SRI at TPAC and proposed to extend the specification (as initially intended) to other HTML elements such as img, video, or a. At this time, I only had a little time to dedicate to this task, but since then I have been hired by the University of Lausanne to do web security research. Therefore, I would gladly help in any revision work associated with the SRI specification.
> 

Great! AFAIU you can easily support making editorial changes, but will
have to formally join the working group for anything that's not
considered "non-substantial". I'd rather let the working group chairs
clarify this statement.

To be clear, I don't have a strong interest to introduce new things to
SRI yet, but I do want to clean up some of the remaining issues.

>>
>> In this specific case, I have removed all references to
>> `require-sri-for`, because both Firefox and Gecko intend to remove this
>> from their browsers. See
>> <https://github.com/w3c/webappsec-subresource-integrity/pull/82>
> 
> Regarding the require-sri-for header, we are monitoring its use on the Web and it occurs very rarely (0.0132% of webpages). Whereas it’s not widely used, don’t you think it introduce a nice separation of concerns between system administrators and web developer that could eventually help at increasing the adoption of the specification (2.55% of webpages are now including at least one SRI)?
> 

I'm afraid that ship has sailed.
We've unimplemented it in Firefox 68 (currently beta)
<https://bugzilla.mozilla.org/show_bug.cgi?id=1386214> and
Blink considers removing as well
<https://bugs.chromium.org/p/chromium/issues/detail?id=618924#c11>.


> Best regards,
> 
> Bertil
> 
Received on Tuesday, 2 July 2019 14:51:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 2 July 2019 14:51:12 UTC