- From: <bugzilla@jessica.w3.org>
- Date: Mon, 28 Jan 2013 05:38:16 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20789 --- Comment #6 from Victor Costan <costan@gmail.com> --- @nickolai: these are two very good points. I would prefer "hash" as an attribute name. I didn't propose it because I was afraid it might be confused with "window.location.hash". The content-matching is a very good point! I see two avenues for solving this: 1) The presence of a "hash" / "signature" attribute with a valid value causes the script resource to be fetched according to the CORS specification [3] where withCredentials is false. This relies on proven existing standards, but requires infrastructure changes on the CDNs, which would have to add the HTTP header "access-control-allow-origin: *" 2) The hash check only succeeds if the script contains a magic comment "//@ allowHashing", along the lines of the source maps specification [4]. For inter-operability with source maps, the magic comment should be allowed to occur anywhere in the file. This is likely to be easier to implement in user agents and CDNs, assuming an appropriate magic comment can be figured out. [3] http://www.w3.org/TR/cors/ [4] https://github.com/mozilla/source-map -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Monday, 28 January 2013 05:38:18 UTC