Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A slightly more sensible approach may be to allow script tags (or any external linking mechanism) to list multiple (trusted) sources, and fallback appropriately.

That certainly feels more inline with how the internet in general was designed.

    <script src="googleapi/jquery,code.jquery.com/jquery,/my/own/version/jquery">


The point they were making is that googleapi and code.jquery.com don't count as trusted (at least not until you verify the hash)


The domains are obviously trusted to a degree. The objective of the hash is just to allow a content addressed[0] clientside web cache, and avoid talking to them most of the time. Good for privacy, security and load times.

[0] http://en.wikipedia.org/wiki/Content-addressable_storage




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: