W3C home > Mailing lists > Public > www-tag@w3.org > October 2014

Re: Comments on the EME opinion

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 29 Oct 2014 10:46:52 +0100
Message-ID: <CADnb78g_XKPQ+p0jCrYBQQGHnfifsbZUej9qfB4xF6XwrgZc+Q@mail.gmail.com>
To: Henri Sivonen <hsivonen@hsivonen.fi>
Cc: David Dorwin <ddorwin@google.com>, Mark Watson <watsonm@netflix.com>, Domenic Denicola <domenic@domenicdenicola.com>, www-tag <www-tag@w3.org>
On Wed, Oct 29, 2014 at 10:28 AM, Henri Sivonen <hsivonen@hsivonen.fi> wrote:
> It's worth noting that most of the fragility would come from
> preventing the application from obtaining information about the
> resource before the hash has been computed (successfully). This
> fragility already follows if the integrity policy "block" ends up
> being implemented for XHR per Subresource Integrity:
> http://w3c.github.io/webappsec/specs/subresourceintegrity/#xmlhttprequest-1

The main problem is new ways of opening unauthenticated connections.

Also, Chrome's SRI implementations requires TLS. (And aside, SRI will
need to require CORS (not sure if that has been fixed).)

Received on Wednesday, 29 October 2014 09:47:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:06 UTC