- From: Joel Weinberger <jww@chromium.org>
- Date: Fri, 16 Jan 2015 23:06:47 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 16 January 2015 23:07:15 UTC
In CSP Source List Syntax <https://w3c.github.io/webappsec/specs/content-security-policy/#base64_value> definition, base64-value is listed as purely a base64 value. This is inconsistent with the Subresource Integrity draft, which proposes to use base64url <http://www.w3.org/TR/SRI/#integrity-metadata-1>. Furthermore, in practice, Chrome accepts both base64 and base64url for Subresource Integrity *and* CSP. I propose that we standardize this and accept either base64 *or* base64url in CSP. I've opened issue 147 <https://github.com/w3c/webappsec/issues/147> on GitHub to propose this. --Joel
Received on Friday, 16 January 2015 23:07:15 UTC