On 14/04/15 17:46, j...@chromium.org wrote: > I just wanted to mention that regarding subresource integrity > (https://w3c.github.io/webappsec/specs/subresourceintegrity/), the > general consensus over here is that we will not treat origins as > secure if they are over HTTP but loaded with integrity. We believe > that security includes confidentiality, which that would approach > would lack. --Joel
Radical idea: currently, the web has two states, insecure and secure. What if it still had two states, with the same UI, but insecure meant "HTTPS top-level, but some resources may be loaded using HTTP with integrity", and secure meant "HTTPS throughout"? That is to say, we don't have to tie the availability of new features to the same criteria as we tie the HTTP vs. HTTPS icon/UI in the browser. We could allow powerful features for HTTPS-top-level-and-some-HTTP-with-integrity, while still displaying it as insecure. Gerv _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform