W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [Integrity] Some comments on Cross-Origin leakage and content types

From: Ilya Grigorik <ilya@igvita.com>
Date: Tue, 23 Sep 2014 16:41:57 -0700
Message-ID: <CAKRe7JHqYg6LyT3M5KPHQXJAqU7S1gsm=8UdDnRUV90k3x7VwA@mail.gmail.com>
To: Arjan Veenstra <arjan@veenstra.cx>
Cc: public-webappsec@w3.org
On Mon, Sep 22, 2014 at 11:24 AM, Arjan Veenstra <arjan@veenstra.cx> wrote:

> content negotiation exists and is being used, as such I think the
> standard should a least spend a few words on how to deal with that. I also
> think it can be supported trivially without any loss of functionality.
> Depending on the interpretation of the standard it might even be supported,
> but as it stands the standard isn't explicit about it.
>

If I'm reading the current spec correctly, I think conneg should be covered:
- 3.3.2 -> If resource is cachable by a shared cache, as defined in
[RFC7234], return true. (i.e. valid for integrity validation) [1]
- 3.4, 3.1.3.1 -> Set request’s Accept header value to the value of
request’s integrity metadata’s content type. [2]

To me, this implies that content negotiation is (implicity) supported..
also, we're extending Fetch, which I would expect to cover content
negotiation? If not, that's a bug in Fetch.

ig

[1]
http://w3c.github.io/webappsec/specs/subresourceintegrity/#is-resource-eligible-for-integrity-validation
[2]
http://w3c.github.io/webappsec/specs/subresourceintegrity/#modifications-to-fetch-1
Received on Tuesday, 23 September 2014 23:43:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC