Re: [integrity]: CSS-loaded resources.

On Sat, Jan 11, 2014 at 10:30 AM, Mike West <> wrote:
> Splitting this off into a separate thread, and adding Tab (Hi, Tab!). Tab,
> I'm putting words in your mouth below, please correct me if I'm
> misrepresenting your opinions. :)
> On Sat, Jan 11, 2014 at 4:06 PM, Anne van Kesteren <> wrote:
>> For CSS I think we want something like integrity-url(), but maybe CSS
>> should have a more generic mechanism as I suspect we want to be able
>> to control more there in the long term. E.g. CORS, whether Referer is
>> emitted, whether cookies are included, etc. So maybe we should have
>> url() and fetch() where fetch() allows for metadata.
> Tab's suggestion was something like this:
>     .coolClass {
>         background-image: integrity('',
> 'ni:///sha256;jfoiajfija...');
>     }
> He wasn't a fan of the integrity block at the top of the file, as it would
> quickly get out of sync with the resources in the file. I suggested that
> build tools would be almost required for a scheme like this anyway, he was
> not impressed. :)
> A more generic 'fetch()' sounds interesting. I'm not sure I'd appreciate a
> new CSS thing with positional arguments, and I don't know of any other CSS
> thing with named parameters. *shrug* I'm not at all sure how something like
> that would fit into the larger picture of CSS grammar. Tab, I assume, will
> have opinions.

fetch() works too!

fetch( <string-or-url> <fetch-metadata>#? )
<fetch-metadata> = integrity <string> | (more later)

So like:

.foo {
  background-image: fetch('' integrity

Then we can add things like "cors" or "anonymous" or whatever to the
<fetch-metadata> term, etc.


Received on Monday, 13 January 2014 23:40:24 UTC