W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: CSS-loaded resources.

From: Tab Atkins <tabatkins@google.com>
Date: Mon, 13 Jan 2014 15:39:56 -0800
Message-ID: <CACwK9gf4aaXc=_P71cDV8AYrabsQhLL08XCu8_DKg6xfAFHHGw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Sat, Jan 11, 2014 at 10:30 AM, Mike West <mkwst@google.com> wrote:
> Splitting this off into a separate thread, and adding Tab (Hi, Tab!). Tab,
> I'm putting words in your mouth below, please correct me if I'm
> misrepresenting your opinions. :)
>
> On Sat, Jan 11, 2014 at 4:06 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>
>>
>> For CSS I think we want something like integrity-url(), but maybe CSS
>> should have a more generic mechanism as I suspect we want to be able
>> to control more there in the long term. E.g. CORS, whether Referer is
>> emitted, whether cookies are included, etc. So maybe we should have
>> url() and fetch() where fetch() allows for metadata.
>
>
> Tab's suggestion was something like this:
>
>     .coolClass {
>         background-image: integrity('http://example.com/img.png',
> 'ni:///sha256;jfoiajfija...');
>     }
>
> He wasn't a fan of the integrity block at the top of the file, as it would
> quickly get out of sync with the resources in the file. I suggested that
> build tools would be almost required for a scheme like this anyway, he was
> not impressed. :)
>
> A more generic 'fetch()' sounds interesting. I'm not sure I'd appreciate a
> new CSS thing with positional arguments, and I don't know of any other CSS
> thing with named parameters. *shrug* I'm not at all sure how something like
> that would fit into the larger picture of CSS grammar. Tab, I assume, will
> have opinions.

fetch() works too!

fetch( <string-or-url> <fetch-metadata>#? )
<fetch-metadata> = integrity <string> | (more later)

So like:

.foo {
  background-image: fetch('http://example.com/img.png' integrity
'ni:///sha256...');
}

Then we can add things like "cors" or "anonymous" or whatever to the
<fetch-metadata> term, etc.

~TJ
Received on Monday, 13 January 2014 23:40:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 January 2014 23:40:24 UTC