SRI: Encourage support for extensions like HTTPSEverywhere.

w3c · Mar 26, 2014 · b85f0fa · diracdeltas · Mar 27, 2014 · diracdeltas
1 parent a108a8d
commit b85f0fa
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/specs/subresourceintegrity/index.html b/specs/subresourceintegrity/index.html
@@ -619,6 +619,12 @@ <h4 id="does-varresourcevar-match-varmetadatalistvar">Does <var>resource</var> m
 be reasonable for the user agent to warn the page&#8217;s author about the
 dangers of MIME type confusion attacks via its developer console.</p>
 
+      <p class="note">User agents may allow users to modify the result of this algorithm via user
+preferences, bookmarklets, third-party additions to the user agent, and other
+such mechanisms. For example, redirects generated by an extension like
+<a href="https://www.eff.org/https-everywhere">HTTPSEverywhere</a> could load and execute
+correctly, even if the HTTPS version of a resurce differs from the HTTP version.</p>
+
     </section>
     <!-- Algorithms::Match -->
   </section>

diff --git a/specs/subresourceintegrity/spec.markdown b/specs/subresourceintegrity/spec.markdown
@@ -483,6 +483,13 @@ be reasonable for the user agent to warn the page's author about the
 dangers of MIME type confusion attacks via its developer console.
 {:.note}
 
+User agents may allow users to modify the result of this algorithm via user
+preferences, bookmarklets, third-party additions to the user agent, and other
+such mechanisms. For example, redirects generated by an extension like
+[HTTPSEverywhere](https://www.eff.org/https-everywhere) could load and execute
+correctly, even if the HTTPS version of a resurce differs from the HTTP version.
+{:.note}
+
 [parse]: #parse-metadata.x
 [get-the-strongest]: #get-the-strongest-metadata-from-set.x
 [match]: #does-resource-match-metadatalist