I lean towards allowing SRI on HTTP resources from HTTPS contexts. Just treat as mixed display and phase in integrity as a hard requirement.
What are the arguments against requiring confidentiality? Are you mostly worried about performance or something else?
-
-
Very steep hill in emerging markets. No real value on public resources given traffic profiling. Forces everyone to CDNs.
-
Makes sense. A counterpoint, though: developers re-engineering apps to an inferior model for what's mostly a short-term performance gain.
-
Engineering is the same: SRI is best practice for CDN hosted resources. The question is if it impedes or enables a path to HTTPS everywhere.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.