[Bug 20789] Signature (cryptographic hash) attribute for <script> from bugzilla@jessica.w3.org on 2013-01-28 (public-html-bugzilla@w3.org from January 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 28 Jan 2013 17:08:24 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20789-2486-AiIoZqdXYk@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20789

estark@mit.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |estark@mit.edu

--- Comment #7 from estark@mit.edu ---
I agree that "signature" might be confusing as an attribute name and that hash
would be better. To avoid confusion with window.location.hash, "digest" might
be appropriate.

One advantage of requiring the CDN to serve CORS headers is that it would make
this a more backwards-compatible proposal: if websites want to always verify
their static content, they could use a script tag with a signature/hash/digest
attribute when available, and otherwise fall back to fetching the script via
XHR, hashing it in JS, and eval'ing it.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 28 January 2013 17:08:25 UTC