SRI: towards minimum viable SRI

[mozfreddyb]

This is my stab to get the spec aligned with the consensus we discussed at last week's discussions.

More commits incoming, this first one is only up to section 3.4 (excluded).
I've also filed some minor issues on the tracker (#71, #73) which are untouched by this pull request.

[mozfreddyb]

@mikewest, @metromoxie @devd:

Gentlemen, I hope you'll enjoy this fine read :-)
I tried to make the commits small enough to review. individually and can squash them before merge, if desired.

Note:

• I left the fallback/reporting untouched, as I think we should just go for it.
• I sneakily left the proposed restriction out, to only allow SRI on authenticated origins. Hoping that we get to fight a lot more about this on the mailing list. (There are no Bikeshed emoticons on Github, so I'll go with 🚲 🐚 )

[devd]

a minor nit -- I was wondering if we should keep the original full spec in a separate file or branch?

[devd]

(btw, I am taking a look too)

[mikewest]

Good idea, @devd. Branched https://github.com/w3c/webappsec/tree/original-sri so we keep it around in a named branch.

I don't have a ton of time to review this right now, but I totally trust you three to do the right thing with the document! I hope I'll have some time to get back to this once MIX and CSP3 are further along.

[joelweinberger]

We should probably have a comment stating that this is still up in the air. Downloads, in I recall correctly at TPAC, did not come to consensus.

[mozfreddyb]

I wasn't sure about downloads and thought this just needs more discussion. I'm also OK with leaving it out if everyone agrees.

[devd]

I think Joel's suggesting just adding a comment that this is still up in the air to clarify that this is not finalized. Lets leave it in, but just add a comment?

[mozfreddyb]

Did that in 656d2f8 :)

[devd]

lgtm. @metromoxie are you ok with merging? I agree we should have a comment about a download

[mozfreddyb]

I did not hear any objections, so I will merge.