W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

[SRI] Reserving the "authority" component of NI URIs for later use?

From: Francois Marier <francois@mozilla.com>
Date: Sun, 18 Jan 2015 13:19:59 +1300
Message-ID: <54BAFC2F.2040002@mozilla.com>
To: public-webappsec@w3.org
I filed https://github.com/w3c/webappsec/pull/124 after carefully
re-reading RFC 6920.

The first commit is not controversial but the second one raised some
questions:


https://github.com/fmarier/webappsec/commit/1b5e6b0d3c40cfb3ede6d40b5f6d849c048b79b5

We don't currently use the "authority" field in NI URIs (e.g.
"ni://authority.com/sha-256;foo") and we could either:

1. require that it be empty (i.e. the presence of an authority makes the
URI invalid)

2. require that user agents ignore it if present (i.e. URIs with
authority can be valid)

I have a slight preference for #2 in case we find a good use for it in a
future version of the SRI spec.

Does anybody have thoughts on this?

Francois
Received on Sunday, 18 January 2015 00:20:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC