Immediately after switching the page, it will work with CSR.
Please reload your browser to see how it works.
I'll have to disagree. There are no known collision attacks against SHA-1(SHA-3(M)), so in the applied case, a combination can be more secure for some properties, even if it isn't in the theoretical case.
Now 4 out of 10 services are marked as "Incident", yet most of the others are also completely dead.
But this isn't true for all flaws. For example, even with the collision attacks against SHA-1, I don't think they're even remotely close to enabling a collision for SHA-1(some_other_hash(M)).
Similarly, HMAC-SHA-1 is still considered secure, as it's effectively SHA-1-X(SHA-1-Y(M)), where SHA-1-X and SHA-1-Y are just SHA-1 with different starting states.
So there's some value to be found in nesting hashes.
[0]: https://en.wikipedia.org/wiki/Museum_of_Bad_Art#Collection_h...