Re: Subresource Integrity and fingerprinting

> Maybe, integrity verification should
> also follow this: sub-resource integrity verification only works
> directly for files with an explicit mime-type that is for JS/CSS/img
> etc.

Not sure how viable that would be with various existing CDNs (where
the control over MIME types available to content publishers may be
sloppy); plus, JSON is commonly returned as application/x-javascript
or so, the use of application/json isn't widespread.

I like Mark's allow-by-default-if-publicly-cacheable proposal, though.


Received on Thursday, 9 January 2014 05:43:00 UTC