W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [SRI] format of the integrity attribute

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 30 Jan 2015 19:03:01 -0800
Message-ID: <CABkgnnWnqoT538=3CqQOwBmnnP3LAcsNTSMMkCeEqCK0soHo4w@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On 30 January 2015 at 17:52, Francois Marier <francois@mozilla.com> wrote:
> In other words, the integrity attribute would be:
> - whitespace-delimited list of tokens
> - tokens are either a CSP2 hash-source, or an option
> - options token consists of: name + semicolon + value (no whitespace)
> - the only value option name right now is "type" (or perhaps "ct"?)
> - none of the options are mandatory

None of your example show this, but hash-source has single quotes
around it: https://w3c.github.io/webappsec/specs/content-security-policy/#hash_source

Without the quotes, a hash-source for a new hash algorithm is going to
marginally harder to distinguish from an option, so I think that's

integrity = integrity-value *(" " integrity-value)
integrity-value = hash-source / content-type
content-type = "type:" mime-media-type ; reference TBD

I note that all of your examples use base64.  The ni URL uses
base64url.  I have a small (small) preference for base64url without
padding.  Is there any reason to pick one over the other?
Received on Saturday, 31 January 2015 03:03:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC