SRI allows one to specify multiple hashes. In other words, to prevent this particular mismatch, one could include the hash of the new resource as well as the previous valid hash.
I don't pretend to be a chemist, doctor, or nutritionist so I assume they have a good reason for adding it. They also seem to know about the bad publicity carrageenan has by calling out that it isn't poligeenan. I do wonder what the benefit of adding it is.
It seems like they still haven't gotten over the negative press and that this might not help them get more traction if it gets sensationalized.
poligeenan, also known as degraded carrageenan, was shown in some studies to be carcinogenic. Some high profile foods had carrageenan and there was some bad publicity due to it.
I am not a doctor, but I do believe that carrageenan has been classified as perfectly safe by the FDA.
> I am not a doctor, but I do believe that carrageenan has been classified as perfectly safe by the FDA.
I am not a doctor (nor, more to the point, a food & drug regulation expert), but I do not believe that FDA has a classification of "perfectly safe" that it applies to ingredients.
True. They do have a classification of Generally Recognized As Safe (GRAS). Not the same thing as "perfectly safe", but I'm guessing that's what they probably meant.
The HTTP 2.0 spec[1] mentions "Implementations of HTTP/2 MUST support TLS 1.2 and it appears Chrome will implement HTTP/2 via TLS only (http://volgarev.me/blog/75094931827).
ds9, yes, "site certs the browser doesn't trust a CA for" is more accurate. You can find the exact details of HSTS and self-signed certs in the draft in section 11.3[1]. I've updated the post to hopefully be more clear.
