W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Re: SRI spec Maintenance

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 2 Jul 2019 16:50:45 +0200
To: Bertil Chapuis <bertil.chapuis@unil.ch>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <8066362f-fad3-eca4-8094-c72ffbaccf91@mozilla.com>

Am 02.07.19 um 16:17 schrieb Bertil Chapuis:
> Hello Freddy,
>> On 2 Jul 2019, at 15:30, Frederik Braun <fbraun@mozilla.com> wrote:
>> I've noticed that my spec co-editors have all not been very active
>> lately, so I wonder who'd be willing to help with reviews on pull
>> request - most of them will be of editorial nature.
> Last year, I briefly presented a study related to SRI at TPAC and proposed to extend the specification (as initially intended) to other HTML elements such as img, video, or a. At this time, I only had a little time to dedicate to this task, but since then I have been hired by the University of Lausanne to do web security research. Therefore, I would gladly help in any revision work associated with the SRI specification.

Great! AFAIU you can easily support making editorial changes, but will
have to formally join the working group for anything that's not
considered "non-substantial". I'd rather let the working group chairs
clarify this statement.

To be clear, I don't have a strong interest to introduce new things to
SRI yet, but I do want to clean up some of the remaining issues.

>> In this specific case, I have removed all references to
>> `require-sri-for`, because both Firefox and Gecko intend to remove this
>> from their browsers. See
>> <https://github.com/w3c/webappsec-subresource-integrity/pull/82>
> Regarding the require-sri-for header, we are monitoring its use on the Web and it occurs very rarely (0.0132% of webpages). Whereas it’s not widely used, don’t you think it introduce a nice separation of concerns between system administrators and web developer that could eventually help at increasing the adoption of the specification (2.55% of webpages are now including at least one SRI)?

I'm afraid that ship has sailed.
We've unimplemented it in Firefox 68 (currently beta)
<https://bugzilla.mozilla.org/show_bug.cgi?id=1386214> and
Blink considers removing as well

> Best regards,
> Bertil
Received on Tuesday, 2 July 2019 14:51:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:07 UTC