[CSP] Accepting base64-url from Joel Weinberger on 2015-01-16 (public-webappsec@w3.org from January 2015)

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 16 Jan 2015 23:06:47 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHQV2KmE0_BPfrueotp-QooYCtR8D3=x7KMC6q1zZTkmScM3OA@mail.gmail.com>

In CSP Source List Syntax
<https://w3c.github.io/webappsec/specs/content-security-policy/#base64_value>
definition,
base64-value is listed as purely a base64 value. This is inconsistent with
the Subresource Integrity draft, which proposes to use base64url
<http://www.w3.org/TR/SRI/#integrity-metadata-1>. Furthermore, in practice,
Chrome accepts both base64 and base64url for Subresource Integrity *and* CSP.
I propose that we standardize this and accept either base64 *or* base64url
in CSP. I've opened issue 147 <https://github.com/w3c/webappsec/issues/147>
on GitHub to propose this.
--Joel

Received on Friday, 16 January 2015 23:07:15 UTC