- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 20 Jan 2015 14:15:49 +0100
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Jan 20, 2015 at 1:50 PM, Frederik Braun <fbraun@mozilla.com> wrote: > As far as I understood, the main reason for picking ni URIs was the > existing specification, while combining all three important bits > (algorithm, digest, content type) and thus keeping our spec short. Defining a microsyntax is rather cheap and easy to specify though. > So the question that remains is, what do we do with content types, if we > match CSP's notation: > Do we enforce them implicitly? > Do we require them to be on the HTML tag as another attribute? > How is this going to work in the future, with tags that do not enjoy > content types on attributes (e.g., img)? Martin's suggestion was that you define the MIME type separately. E.g. <img src=... integrity="sha256:... sha512:..." integritytype=image/jpeg> You would make the concept of a MIME type default to something based on the API in question. E.g. for XMLHttpRequest you probably do not want to enforce any type, but for <img> it makes sense to require image/* (or even one of a set). -- https://annevankesteren.nl/
Received on Tuesday, 20 January 2015 13:16:12 UTC