- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 30 Jan 2015 19:03:01 -0800
- To: Francois Marier <francois@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On 30 January 2015 at 17:52, Francois Marier <francois@mozilla.com> wrote: > In other words, the integrity attribute would be: > > - whitespace-delimited list of tokens > - tokens are either a CSP2 hash-source, or an option > - options token consists of: name + semicolon + value (no whitespace) > - the only value option name right now is "type" (or perhaps "ct"?) > - none of the options are mandatory None of your example show this, but hash-source has single quotes around it: https://w3c.github.io/webappsec/specs/content-security-policy/#hash_source Without the quotes, a hash-source for a new hash algorithm is going to marginally harder to distinguish from an option, so I think that's good. integrity = integrity-value *(" " integrity-value) integrity-value = hash-source / content-type content-type = "type:" mime-media-type ; reference TBD I note that all of your examples use base64. The ni URL uses base64url. I have a small (small) preference for base64url without padding. Is there any reason to pick one over the other?
Received on Saturday, 31 January 2015 03:03:28 UTC