W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: CSS-loaded resources.

From: Tab Atkins <tabatkins@google.com>
Date: Thu, 16 Jan 2014 15:06:02 -0800
Message-ID: <CACwK9ge_+iDb7uYgfCUVF02CC-U8c_-Tvpu8oMiofR6hEvmFgQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Thu, Jan 16, 2014 at 4:12 AM, Mike West <mkwst@google.com> wrote:
> On Tue, Jan 14, 2014 at 12:39 AM, Tab Atkins <tabatkins@google.com> wrote:
>>
>> fetch() works too!
>>
>> fetch( <string-or-url> <fetch-metadata>#? )
>> <fetch-metadata> = integrity <string> | (more later)
>>
>> So like:
>>
>> .foo {
>>   background-image: fetch('http://example.com/img.png' integrity
>> 'ni:///sha256...');
>> }
>>
>> Then we can add things like "cors" or "anonymous" or whatever to the
>> <fetch-metadata> term, etc.
>
>
> Great! Sold!
>
> Would you prefer to add the definition of `fetch()` to one of the zillion
> specs you're responsible for, and for this document to extend the
> '<fetch-metadata>' list? Or would you prefer for this spec to define the
> whole thing?
>
> I'd lean towards the former, but I'm happy to take a stab at the latter if
> you like.

The former is what I'm shooting for too.  I'm pinging Anne separately
to see if he has opinions on exactly how the spec should look.

~TJ
Received on Thursday, 16 January 2014 23:06:29 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 16 January 2014 23:06:30 UTC