|
|
|
|
|
|
by asaph
2766 days ago
|
|
|
Without versioned assets, both the 3rd and 1st parties would need to make the update at the exact same time or else the enforced SRI would cause failures. This kind of tight coordination is impractical or even impossible. Versioned assets allow you to deploy updates when using SRI without breaking anything. The need to avoid automation stems from the fact that an automated process which simply detects that a change has been made and blindly updates the SRI attribute with a new hash would let a malicious code update through, which normally SRI would have blocked. This situation is no different than not using SRI at all. |
|
|
1. Provider informs clients that a new version with digest X will be deployed.
2. Clients add the new digest in addition to the current digest.
3. Provider switches to new asset version.
4. Clients remove old digest (optional).
Versioned assets are obviously better unless you're in a really weird situation, but SRI doesn't particularly require them.