W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [Integrity] typos with ni URIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 20 Jan 2015 14:15:49 +0100
Message-ID: <CADnb78h29wvYAyTZjHXxR4=Sk19wAxMXeQeM5fKM5jWGxsReKA@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Jan 20, 2015 at 1:50 PM, Frederik Braun <fbraun@mozilla.com> wrote:
> As far as I understood, the main reason for picking ni URIs was the
> existing specification, while combining all three important bits
> (algorithm, digest, content type) and thus keeping our spec short.

Defining a microsyntax is rather cheap and easy to specify though.

> So the question that remains is, what do we do with content types, if we
> match CSP's notation:
> Do we enforce them implicitly?
> Do we require them to be on the HTML tag as another attribute?
> How is this going to work in the future, with tags that do not enjoy
> content types on attributes (e.g., img)?

Martin's suggestion was that you define the MIME type separately. E.g.

  <img src=... integrity="sha256:... sha512:..." integritytype=image/jpeg>

You would make the concept of a MIME type default to something based
on the API in question. E.g. for XMLHttpRequest you probably do not
want to enforce any type, but for <img> it makes sense to require
image/* (or even one of a set).

Received on Tuesday, 20 January 2015 13:16:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC