Skip to content

2015 05 04 SRI Update

Jump to bottom Edit New page
Francois Marier edited this page May 4, 2015 · 9 revisions

SRI Update for the 2015-05-04 Teleconf

Recent changes

  • Reporting via CSP has been removed but error events are now always triggered.
  • Authors can specify more than one hash of the same strength and a sub-resource will be loaded if it matches one of them.
  • MIME types are no longer checked and global options have been removed from the metadata format.
  • Per-hash options are possible but none will be defined in v1.
  • We now require CORS loads or same-origin for a resource to be eligible for integrity checks. The concepts of "publicly cachable and CORS-enabled" are gone from the spec.

Outstanding issues

From the full list of open issues for v1, these issues need attention:

  • Should HTTP headers disqualify resources from getting integrity checked? #305
  • Clarify how we handle non-eligible resources and invalid metadata. #317
  • Should the about: scheme be whitelisted? #319
  • Should we mention MIME types in the security considerations? #302

TODO

  • go through mnot's comments and figure out what we should bring up at the teleconf
Add a custom footer
Add a custom sidebar
Clone this wiki locally