W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity and fingerprinting

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 8 Jan 2014 21:42:13 -0800
Message-ID: <CALx_OUDf=kU+yxf6HXdbMYTiQFd41z42qcx-4hH2HjMgF+R85A@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Joel Weinberger <jww@chromium.org>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>
> Maybe, integrity verification should
> also follow this: sub-resource integrity verification only works
> directly for files with an explicit mime-type that is for JS/CSS/img
> etc.

Not sure how viable that would be with various existing CDNs (where
the control over MIME types available to content publishers may be
sloppy); plus, JSON is commonly returned as application/x-javascript
or so, the use of application/json isn't widespread.

I like Mark's allow-by-default-if-publicly-cacheable proposal, though.

/mz
Received on Thursday, 9 January 2014 05:43:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC