- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 8 Jan 2014 21:42:13 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Joel Weinberger <jww@chromium.org>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>
> Maybe, integrity verification should > also follow this: sub-resource integrity verification only works > directly for files with an explicit mime-type that is for JS/CSS/img > etc. Not sure how viable that would be with various existing CDNs (where the control over MIME types available to content publishers may be sloppy); plus, JSON is commonly returned as application/x-javascript or so, the use of application/json isn't widespread. I like Mark's allow-by-default-if-publicly-cacheable proposal, though. /mz
Received on Thursday, 9 January 2014 05:43:00 UTC