W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [Integrity] typos with ni URIs

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 20 Jan 2015 13:50:09 +0100
Message-ID: <54BE4F01.2090109@mozilla.com>
To: public-webappsec@w3.org
On 20.01.2015 13:17, Francois Marier wrote:
> On 20/01/15 23:48, Mike West wrote:
>> Without thinking about it too hard, I'd be fine with either of these.
>> I'd also be fine with keeping the `ni:`-style URL.
> 
> If we abandon ni: URIs, we may as well drop the dash in "sha-" and
> therefore match the algorithm names in the CSP2 spec (e.g. "sha256").
> 
> Francois
> 
> 

I wouldn't be opposed to matching CSP notation if this makes things
easier for content authors.

As far as I understood, the main reason for picking ni URIs was the
existing specification, while combining all three important bits
(algorithm, digest, content type) and thus keeping our spec short.

So the question that remains is, what do we do with content types, if we
match CSP's notation:
Do we enforce them implicitly?
Do we require them to be on the HTML tag as another attribute?
How is this going to work in the future, with tags that do not enjoy
content types on attributes (e.g., img)?
Received on Tuesday, 20 January 2015 12:50:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC