W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

[CSP] Accepting base64-url

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 16 Jan 2015 23:06:47 +0000
Message-ID: <CAHQV2KmE0_BPfrueotp-QooYCtR8D3=x7KMC6q1zZTkmScM3OA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In CSP Source List Syntax
<https://w3c.github.io/webappsec/specs/content-security-policy/#base64_value>
definition,
base64-value is listed as purely a base64 value. This is inconsistent with
the Subresource Integrity draft, which proposes to use base64url
<http://www.w3.org/TR/SRI/#integrity-metadata-1>. Furthermore, in practice,
Chrome accepts both base64 and base64url for Subresource Integrity *and* CSP.
I propose that we standardize this and accept either base64 *or* base64url
in CSP. I've opened issue 147 <https://github.com/w3c/webappsec/issues/147>
on GitHub to propose this.
--Joel
Received on Friday, 16 January 2015 23:07:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC