- From: Francois Marier <francois@mozilla.com>
- Date: Sat, 31 Jan 2015 14:52:29 +1300
- To: WebAppSec WG <public-webappsec@w3.org>
On 31/01/15 02:49, Joel Weinberger wrote: > Another +1 to getting rid of ni:// and consistency with CSP. To remove any ambiguity, let's summarize the current proposals by looking at two real examples: 1. My original proposal with the addition of content-type inside the integrity attribute: <script src="https://code.jquery.com/jquery-1.11.2.js" integrity="application/x-javascript: sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU= sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w== "></script> 2. Martin's proposal: <script src="https://code.jquery.com/jquery-1.11.2.js" integrity="type:application/x-javascript sha256:WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU= sha384:ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q sha512:7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w== "></script> Should we build some extensibility into that format to account for any future revisions of the spec? Using Martin's "type:" prefix, here's an idea: <script src="https://code.jquery.com/jquery-1.11.2.js" integrity="type:application/x-javascript version:1 irrelevant-security-option:strict sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU= sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w== "></script> In other words, the integrity attribute would be: - whitespace-delimited list of tokens - tokens are either a CSP2 hash-source, or an option - options token consists of: name + semicolon + value (no whitespace) - the only value option name right now is "type" (or perhaps "ct"?) - none of the options are mandatory Francois
Received on Saturday, 31 January 2015 01:53:04 UTC