Seems pretty reasonable to align the two specs. Might as well give some flexibility in terms of truncation. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Jan 7, 2015 at 6:16 PM, Joel Weinberger <jww@chromium.org> wrote: > Not surprisingly, as the Chromium implementor, I support including > sha-384. This would also be consistent with the CSP Editor's draft: > https://w3c.github.io/webappsec/specs/content-security-policy/ > > > On Tue Jan 06 2015 at 7:19:48 PM Francois Marier <francois@mozilla.com> > wrote: > >> Should we include sha-384 as a mandatory algorithm to support? >> >> The Chromium [1] and Firefox [2] implementations both support it and >> it's part of CSP Level 2 [3]. >> >> Francois >> >> [1] >> https://code.google.com/p/chromium/codesearch#chromium/ >> src/third_party/WebKit/Source/core/frame/SubresourceIntegrity.cpp&sq= >> package:chromium&type=cs&l=66 >> >> [2] >> https://bitbucket.org/fmarier/mozilla-central-mq-992096/src/ >> 4a686871b1cda481e8eb6044ee2015438c1ae12b/bug992096.patch?at= >> default#cl-1115 >> >> [3] http://www.w3.org/TR/CSP2/#source-list-valid-hashes >> >>
Received on Thursday, 8 January 2015 09:07:44 UTC