Nope it doesn't solve packages
-
-
.
@hillbrad had ideas about what fallback might look like. -
tl;dr <xyzzy src="{$CDN}" integrity="..." canonical-src="{$httpsFallback}"/> canonical-src used w/o further checks if integrity fails.
-
I see a new XSS filter/XSS mitigation bypass right there ;-). Also this probably enables cross-origin Leaks.
-
Sebastian's right, we shouldn't introduce new src-ish attributes without a very good reason. It's hard enough to sanitize html as it is now.
End of conversation
New conversation -
-
-
That would allow one to use a CDN for the most important load (the 1st one that blocks everything) w/o trust, but requres much more infra.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
The idea of the signing is to detect and prevent a third party from injecting/modifying js
