- From: Francois Marier <francois@mozilla.com>
- Date: Sat, 31 Jan 2015 14:52:29 +1300
- To: WebAppSec WG <public-webappsec@w3.org>
On 31/01/15 02:49, Joel Weinberger wrote:
> Another +1 to getting rid of ni:// and consistency with CSP.
To remove any ambiguity, let's summarize the current proposals by
looking at two real examples:
1. My original proposal with the addition of content-type inside the
integrity attribute:
<script src="https://code.jquery.com/jquery-1.11.2.js"
integrity="application/x-javascript:
sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>
2. Martin's proposal:
<script src="https://code.jquery.com/jquery-1.11.2.js"
integrity="type:application/x-javascript
sha256:WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384:ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512:7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>
Should we build some extensibility into that format to account for any
future revisions of the spec?
Using Martin's "type:" prefix, here's an idea:
<script src="https://code.jquery.com/jquery-1.11.2.js"
integrity="type:application/x-javascript version:1
irrelevant-security-option:strict
sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>
In other words, the integrity attribute would be:
- whitespace-delimited list of tokens
- tokens are either a CSP2 hash-source, or an option
- options token consists of: name + semicolon + value (no whitespace)
- the only value option name right now is "type" (or perhaps "ct"?)
- none of the options are mandatory
Francois
Received on Saturday, 31 January 2015 01:53:04 UTC