W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: CfC: Subresource Integrity (SRI) to Last Call?

From: Austin William Wright <aaa@bzfx.net>
Date: Fri, 24 Apr 2015 03:08:41 -0700
Message-ID: <CANkuk-Wtt6iBN9-u0DdoAk1TxwnbDFZf6-=a9KvOz302EccL0w@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joel Weinberger <jww@chromium.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Apr 23, 2015 at 5:31 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Apr 23, 2015 at 2:51 PM, Austin William Wright <aaa@bzfx.net>
> wrote:
> > That's because this isn't a URL, it's a URI (at least not without an
> > authority component). As such, it's completely opaque to Web browsers.
> That distinction has been meaningless since forever.

If I ask for a URL, I expect to be able to dereference it. If I ask for a
URI, then that's not necessarily the case. This is a meaningful distinction
for many people, particularly databases, automated robots, and HTTP servers.

It might not be much of a distinction for generic user agents like Web
browsers and websites, who almost exclusively deal in URLs, but there's
more kinds of user agents than just Web browsers.

In general, it's an important enough distinction to technical literature
that we have two names, even if in most other places it doesn't really

> > While `integrity` isn't limited to HTML, there's plenty of precedent for
> > using URIs outside use as network identifiers in HTML, namely the `rel`
> and
> > `xmlns` attributes, and the `profile` media type property.
> These are all terrible precedents that we don't want to follow.

You'll have to explain what you mean, I don't think I've *ever* heard this
before, and to the contrary, I notice a kind of Zawinski's law: Every
identifier syntax tends to assume more and more URI-like features. Those
which don't are replaced by URIs outright.

That is, it's not a position shared by me or my colleagues; nor have I
heard it in the entire Semantic Web community, where we develop so-called
"linked data" APIs and use them every day. JSON Schema, JSON-LD, Hydra,
RDFa, and even plain old HTML are all hypermedia formats where using
anything but a URI for identifying things would simply be unfathomable.

It has been a point of contention in JSON Schema, though, and we're open to
ideas. Perhaps you'd like to explain your vision to re-invent this format,
or any of these formats, without any URIs? How would I refer to a JSON
Schema defined by another party entirely? As far as I can tell, anything
that supports the required functionality will just be re-inventing the URI.

Firefox, too, uses linked data in its internal execution, using URIs for
representing data (even if in one of the oldest, biggest eyesores of a
syntax): <https://developer.mozilla.org/en-US/Add-ons/Install_Manifests>

Maybe you're opposed to the length/verbosity, but that's sort of a
mathematical certainly when you've got hundreds of millions of authorities
minting identifiers for billions and billions of resources, your globally
unambiguous identifiers are going to get *kind of lengthy*.

> In any event, Web browsers shouldn't need to care, the syntax is arbitrary
> > to them.
> As I explained the more complicated processing model is not at all
> something arbitrary that can be ignored.

I didn't follow your explanation, since the syntax is just a well-defined
ABNF. The processing model, for Web browser purposes, is
/^ni:\/\/\/([a-zA-Z0-9._~\-]+);([[a-zA-Z0-9._~\-]+)$/ (compare to the CSP
syntax: /^(sha256|sha384|sha512)-([a-zA-Z0-9+\/]+={0,2})$/)

That's all there is to it. If you're making it any more complex than that,
I'd venture to guess you're thinking too hard.

Received on Friday, 24 April 2015 10:09:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC