Skip to content

2015 05 04 SRI Update

Jump to bottom Edit New page
Francois Marier edited this page Apr 30, 2015 · 9 revisions

SRI Update for the 2015-05-04 Teleconf

Recent changes

  • We now require CORS loads or same-origin for a resource to be eligible for integrity checks. The concepts of "publicly cachable and CORS-enabled" are gone from the spec.
  • Reporting via CSP has been removed but error events are now always triggered.
  • Authors can specify more than one hash of the same strength and a sub-resource will be loaded if it matches one of them.

Outstanding issues

  • Should HTTP headers disqualify resources from getting integrity checked? #305
  • Clarify how we handle non-eligible resources and invalid metadata. #317
  • Should the about: scheme be whitelisted? #319

TODO

  • go through mnot's comments and figure out what we should bring up at the teleconf
  • go through open pull requests and see if we can merge some of these ahead of the teleconf
Add a custom footer
Add a custom sidebar
Clone this wiki locally