Re: [w3ctag/design-reviews] TAG review request of the CSP feature 'unsafe-hashes' (#291) from L. David Baron on 2018-07-17 (public-webapps-github@w3.org from July 2018)

From: L. David Baron <notifications@github.com>
Date: Tue, 17 Jul 2018 08:40:57 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/291/405628203@github.com>

It's not clear to me from [the spec](https://w3c.github.io/webappsec-csp/#match-element-to-source-list) what character encoding the script/style is in before it's hashed.  The spec seems to describe running a hash algorithm on a string, when I think the hash algorithms are defined on a sequence of bytes.  It seems like it should be clearer about character encoding here.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/291#issuecomment-405628203

Received on Tuesday, 17 July 2018 15:41:21 UTC