- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 29 Oct 2014 10:46:52 +0100
- To: Henri Sivonen <hsivonen@hsivonen.fi>
- Cc: David Dorwin <ddorwin@google.com>, Mark Watson <watsonm@netflix.com>, Domenic Denicola <domenic@domenicdenicola.com>, www-tag <www-tag@w3.org>
On Wed, Oct 29, 2014 at 10:28 AM, Henri Sivonen <hsivonen@hsivonen.fi> wrote: > It's worth noting that most of the fragility would come from > preventing the application from obtaining information about the > resource before the hash has been computed (successfully). This > fragility already follows if the integrity policy "block" ends up > being implemented for XHR per Subresource Integrity: > http://w3c.github.io/webappsec/specs/subresourceintegrity/#xmlhttprequest-1 The main problem is new ways of opening unauthenticated connections. Also, Chrome's SRI implementations requires TLS. (And aside, SRI will need to require CORS (not sure if that has been fixed).) -- https://annevankesteren.nl/
Received on Wednesday, 29 October 2014 09:47:23 UTC