W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

[integrity]: CSS-loaded resources.

From: Mike West <mkwst@google.com>
Date: Sat, 11 Jan 2014 19:30:23 +0100
Message-ID: <CAKXHy=cQcAesp7s3KL8n0ryir8pa770bT8TzskS=yQzELwo-Uw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Tab Atkins <tabatkins@google.com>
Splitting this off into a separate thread, and adding Tab (Hi, Tab!). Tab,
I'm putting words in your mouth below, please correct me if I'm
misrepresenting your opinions. :)

On Sat, Jan 11, 2014 at 4:06 PM, Anne van Kesteren <annevk@annevk.nl> wrote:


> For CSS I think we want something like integrity-url(), but maybe CSS
> should have a more generic mechanism as I suspect we want to be able
> to control more there in the long term. E.g. CORS, whether Referer is
> emitted, whether cookies are included, etc. So maybe we should have
> url() and fetch() where fetch() allows for metadata.
>

Tab's suggestion was something like this:

    .coolClass {
        background-image: integrity('http://example.com/img.png',
'ni:///sha256;jfoiajfija...');
    }

He wasn't a fan of the integrity block at the top of the file, as it would
quickly get out of sync with the resources in the file. I suggested that
build tools would be almost required for a scheme like this anyway, he was
not impressed. :)

A more generic 'fetch()' sounds interesting. I'm not sure I'd appreciate a
new CSS thing with positional arguments, and I don't know of any other CSS
thing with named parameters. *shrug* I'm not at all sure how something like
that would fit into the larger picture of CSS grammar. Tab, I assume, will
have opinions.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Saturday, 11 January 2014 18:31:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC