Re: [SRI] format of the integrity attribute

On 31/01/15 02:49, Joel Weinberger wrote:
> Another +1 to getting rid of ni:// and consistency with CSP.

To remove any ambiguity, let's summarize the current proposals by
looking at two real examples:

1. My original proposal with the addition of content-type inside the
integrity attribute:

<script src="https://code.jquery.com/jquery-1.11.2.js"
        integrity="application/x-javascript:
sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>

2. Martin's proposal:

<script src="https://code.jquery.com/jquery-1.11.2.js"
        integrity="type:application/x-javascript
sha256:WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384:ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512:7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>

Should we build some extensibility into that format to account for any
future revisions of the spec?

Using Martin's "type:" prefix, here's an idea:

<script src="https://code.jquery.com/jquery-1.11.2.js"
        integrity="type:application/x-javascript version:1
irrelevant-security-option:strict
sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>

In other words, the integrity attribute would be:

- whitespace-delimited list of tokens
- tokens are either a CSP2 hash-source, or an option
- options token consists of: name + semicolon + value (no whitespace)
- the only value option name right now is "type" (or perhaps "ct"?)
- none of the options are mandatory

Francois

Received on Saturday, 31 January 2015 01:53:04 UTC