W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC: Transition CSP2 to CR.

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 8 Feb 2015 18:15:33 -0800
Message-ID: <CAPfop_1XWrMuBgZ=c2vm287yQoLOc4Xdob=6-UVpf_vvFqdVCw@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I am not worried about spec complexity as much as implementation
complexity, which doesn't seem like a big deal here. I don't mind
keeping it just in case anyone started using it already with the URI
encoding.

On 8 February 2015 at 18:06, Francois Marier <francois@mozilla.com> wrote:
> On 06/02/15 21:25, Mike West wrote:
>> Any other issues folks have on their mind for CSP2?
>
> CSP2 recently added support for Base64url hashes citing parity with SRI
> as one of the reasons [1] for this change.
>
> Given that the final SRI spec may be moving away from URIs for encoding
> the hashes [2], and that CSP hashes are not URIs either, I was
> wondering: is there a reason to use a URL-safe encoding of Base64 as
> opposed to just regular base64?
>
> It's fairly trivial to support both in user agents, but it adds a small
> amount of complexity to both specs.
>
> I don't have a strong opinion on this, but I wanted to note that this
> decision will have an impact on what we do in the SRI spec too.
>
> Francois
>
> [1] https://github.com/w3c/webappsec/pull/156#issuecomment-72209356
> [2] https://lists.w3.org/Archives/Public/public-webappsec/2015Jan/0259.html
>
Received on Monday, 9 February 2015 02:16:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC