W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: data URIs and Blob URL

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 Sep 2015 18:19:36 +0200
Message-ID: <CADnb78inJQEiq5wkBnpmbPewbAxudZwjumHnVVR+f1sxkSWaHQ@mail.gmail.com>
To: Jerry Qu <quguangyu@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Sep 23, 2015 at 5:50 PM, Jerry Qu <quguangyu@gmail.com> wrote:
> May the SRI spec give some specific recommendations for this?

Only the blob URL should work per Fetch, to which SRI defers. (That is
because data URLs for <script> get tainted and SRI cannot poke into
tainted responses.)

Received on Wednesday, 23 September 2015 16:20:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC