- From: Trevor Perrin <trevp@trevp.net>
- Date: Mon, 24 Mar 2014 18:06:19 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi webappsec, I'm glad to see this! I think it's necessary for things like HPKP, TACK, and DANE to be effective for many sites. Without this, "pinning" stronger security onto an origin could be undermined if that origin loads a script from elsewhere, e.g. a CDN. Couple comments: 1) Why does the content-type need to be specified in the link? Why not just include it as input to the hash? 2) The "ni://" prefix seems pointless, why not just name the attribute after the hash algo, i.e. sha256="base64..." instead of integrity="ni://sha256;base64..." Trevor
Received on Tuesday, 25 March 2014 01:06:46 UTC