Re: SRI: data URIs and Blob URL from Anne van Kesteren on 2015-09-23 (public-webappsec@w3.org from September 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 Sep 2015 18:19:36 +0200
To: Jerry Qu <quguangyu@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78inJQEiq5wkBnpmbPewbAxudZwjumHnVVR+f1sxkSWaHQ@mail.gmail.com>

On Wed, Sep 23, 2015 at 5:50 PM, Jerry Qu <quguangyu@gmail.com> wrote:
> May the SRI spec give some specific recommendations for this?

Only the blob URL should work per Fetch, to which SRI defers. (That is
because data URLs for <script> get tainted and SRI cannot poke into
tainted responses.)


-- 
https://annevankesteren.nl/

Received on Wednesday, 23 September 2015 16:20:01 UTC