W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: CSS-loaded resources.

From: Mike West <mkwst@google.com>
Date: Thu, 16 Jan 2014 13:12:37 +0100
Message-ID: <CAKXHy=e5jxCPc2oZTX-UAF92qfpTN1oU8YDx0a-t_B-vb85Wug@mail.gmail.com>
To: Tab Atkins <tabatkins@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Tue, Jan 14, 2014 at 12:39 AM, Tab Atkins <tabatkins@google.com> wrote:

> fetch() works too!
>
> fetch( <string-or-url> <fetch-metadata>#? )
> <fetch-metadata> = integrity <string> | (more later)
>
> So like:
>
> .foo {
>   background-image: fetch('http://example.com/img.png' integrity
> 'ni:///sha256...');
> }
>
> Then we can add things like "cors" or "anonymous" or whatever to the
> <fetch-metadata> term, etc.
>

Great! Sold!

Would you prefer to add the definition of `fetch()` to one of the zillion
specs you're responsible for, and for this document to extend the
'<fetch-metadata>' list? Or would you prefer for this spec to define the
whole thing?

I'd lean towards the former, but I'm happy to take a stab at the latter if
you like.

-mike
Received on Thursday, 16 January 2014 12:13:25 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 16 January 2014 12:13:26 UTC