Skip to content

Commit

Permalink
SRI: Encourage support for extensions like HTTPSEverywhere.
Browse files Browse the repository at this point in the history
  • Loading branch information
mikewest committed Mar 26, 2014
1 parent a108a8d commit b85f0fa
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
6 changes: 6 additions & 0 deletions specs/subresourceintegrity/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -619,6 +619,12 @@ <h4 id="does-varresourcevar-match-varmetadatalistvar">Does <var>resource</var> m
be reasonable for the user agent to warn the page&#8217;s author about the
dangers of MIME type confusion attacks via its developer console.</p>

<p class="note">User agents may allow users to modify the result of this algorithm via user
preferences, bookmarklets, third-party additions to the user agent, and other
such mechanisms. For example, redirects generated by an extension like
<a href="https://www.eff.org/https-everywhere">HTTPSEverywhere</a> could load and execute

This comment has been minimized.

Copy link
@diracdeltas

diracdeltas Mar 27, 2014

s/HTTPSEverywhere/HTTPS Everywhere

correctly, even if the HTTPS version of a resurce differs from the HTTP version.</p>

This comment has been minimized.

Copy link
@diracdeltas

diracdeltas Mar 27, 2014

s/resurce/resource


</section>
<!-- Algorithms::Match -->
</section>
Expand Down
7 changes: 7 additions & 0 deletions specs/subresourceintegrity/spec.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,13 @@ be reasonable for the user agent to warn the page's author about the
dangers of MIME type confusion attacks via its developer console.
{:.note}

User agents may allow users to modify the result of this algorithm via user
preferences, bookmarklets, third-party additions to the user agent, and other
such mechanisms. For example, redirects generated by an extension like
[HTTPSEverywhere](https://www.eff.org/https-everywhere) could load and execute
correctly, even if the HTTPS version of a resurce differs from the HTTP version.
{:.note}

[parse]: #parse-metadata.x
[get-the-strongest]: #get-the-strongest-metadata-from-set.x
[match]: #does-resource-match-metadatalist
Expand Down

0 comments on commit b85f0fa

Please sign in to comment.