LGTM, what's the status wrt other browsers supporting this? Thanks, Johnny
On Tue, Dec 30, 2014 at 9:40 PM, Francois Marier <franc...@mozilla.com> wrote: > Summary: Allow web authors to add integrity checks to sub-resources. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096 > > Spec: http://www.w3.org/TR/SRI/ > > Platforms: all > > Estimated or target release: Q1 of 2015 > > Preference behind which this will be implemented: > security.subResourceIntegrity.enable > > Background: > > The best way to explain this is through an example. If you have the > following: > > <script src="https://code.jquery.com/jquery-1.10.2.min.js" > > integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=application/javascript"> > > then the browser will refuse to execute the script if someone has gained > access to the jQuery servers and has replaced the script with a > malicious one (the hash won't match the expected one). > > Our initial implementation will be limited to integrity checks for > script tags and stylesheets. While the spec is still evolving, we expect > to cover everything that ends up in level 1 of the spec. > > Feel free to contact me if you have any questions. > > Francois > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform -- jst _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform