The risk is someone stealing my email/photos/documents. Not a website logging my visit.
But that's exactly why we have SRI and apps that worry about this should definitely use it.
-
-
We need SRI + no dynamic loading.
-
SRI is enough if you trust the place you're loading JS from. Otherwise, don't load the JS.
-
How about GA demanding SRI?
-
Or maybe scripts can't inject script tags with hash attributes?
-
If so we should come up with a way for script sources to request then demand SRI in two steps.
-
What would this protect against? An evil JS provider could just not opt into any checks.
-
But providers with great power could lower the aggregate risk on the web.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.