- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 30 Jan 2015 19:03:01 -0800
- To: Francois Marier <francois@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On 30 January 2015 at 17:52, Francois Marier <francois@mozilla.com> wrote:
> In other words, the integrity attribute would be:
>
> - whitespace-delimited list of tokens
> - tokens are either a CSP2 hash-source, or an option
> - options token consists of: name + semicolon + value (no whitespace)
> - the only value option name right now is "type" (or perhaps "ct"?)
> - none of the options are mandatory
None of your example show this, but hash-source has single quotes
around it: https://w3c.github.io/webappsec/specs/content-security-policy/#hash_source
Without the quotes, a hash-source for a new hash algorithm is going to
marginally harder to distinguish from an option, so I think that's
good.
integrity = integrity-value *(" " integrity-value)
integrity-value = hash-source / content-type
content-type = "type:" mime-media-type ; reference TBD
I note that all of your examples use base64. The ni URL uses
base64url. I have a small (small) preference for base64url without
padding. Is there any reason to pick one over the other?
Received on Saturday, 31 January 2015 03:03:28 UTC