W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [SRI] format of the integrity attribute

From: Francois Marier <francois@mozilla.com>
Date: Sat, 31 Jan 2015 14:52:29 +1300
Message-ID: <54CC355D.1080407@mozilla.com>
To: WebAppSec WG <public-webappsec@w3.org>
On 31/01/15 02:49, Joel Weinberger wrote:
> Another +1 to getting rid of ni:// and consistency with CSP.

To remove any ambiguity, let's summarize the current proposals by
looking at two real examples:

1. My original proposal with the addition of content-type inside the
integrity attribute:

<script src="https://code.jquery.com/jquery-1.11.2.js"
        integrity="application/x-javascript:
sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>

2. Martin's proposal:

<script src="https://code.jquery.com/jquery-1.11.2.js"
        integrity="type:application/x-javascript
sha256:WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384:ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512:7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>

Should we build some extensibility into that format to account for any
future revisions of the spec?

Using Martin's "type:" prefix, here's an idea:

<script src="https://code.jquery.com/jquery-1.11.2.js"
        integrity="type:application/x-javascript version:1
irrelevant-security-option:strict
sha256-WMJwNbei5YnfOX5dfgVCS5C4waqvc+/0fV7W2uy3DyU=
sha384-ACws9ykGE3FuLkDpto3htd4WDroMJsyYg0Rv3bO+B9Y37HpERfGFpgwMwj+AJG5q
sha512-7iAtgxibPdpUUYLwHYiQz2lRpEsz/5VXHI9DF40oxSUoiwbiOL+maCUI2dZdYm/yBQgkTe+aXhBApuPtpnAu3w==
"></script>

In other words, the integrity attribute would be:

- whitespace-delimited list of tokens
- tokens are either a CSP2 hash-source, or an option
- options token consists of: name + semicolon + value (no whitespace)
- the only value option name right now is "type" (or perhaps "ct"?)
- none of the options are mandatory

Francois
Received on Saturday, 31 January 2015 01:53:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC