- From: Frederik Braun <fbraun@mozilla.com>
- Date: Tue, 20 Jan 2015 13:50:09 +0100
- To: public-webappsec@w3.org
On 20.01.2015 13:17, Francois Marier wrote: > On 20/01/15 23:48, Mike West wrote: >> Without thinking about it too hard, I'd be fine with either of these. >> I'd also be fine with keeping the `ni:`-style URL. > > If we abandon ni: URIs, we may as well drop the dash in "sha-" and > therefore match the algorithm names in the CSP2 spec (e.g. "sha256"). > > Francois > > I wouldn't be opposed to matching CSP notation if this makes things easier for content authors. As far as I understood, the main reason for picking ni URIs was the existing specification, while combining all three important bits (algorithm, digest, content type) and thus keeping our spec short. So the question that remains is, what do we do with content types, if we match CSP's notation: Do we enforce them implicitly? Do we require them to be on the HTML tag as another attribute? How is this going to work in the future, with tags that do not enjoy content types on attributes (e.g., img)?
Received on Tuesday, 20 January 2015 12:50:38 UTC