Re: SRI: data URIs and Blob URL from Jerry Qu on 2015-09-24 (public-webappsec@w3.org from September 2015)

From: Jerry Qu <quguangyu@gmail.com>
Date: Thu, 24 Sep 2015 11:32:59 +0800
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAGGh6wz+_wyZqXM2FguLkQ1-=mTJYcFvtx09ADyeJtWcodVR5g@mail.gmail.com>

Thank you, I got it.

It seems that Chrome's implementation followed the SRI spec.

On Thu, Sep 24, 2015 at 12:19 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Wed, Sep 23, 2015 at 5:50 PM, Jerry Qu <quguangyu@gmail.com> wrote:
> > May the SRI spec give some specific recommendations for this?
>
> Only the blob URL should work per Fetch, to which SRI defers. (That is
> because data URLs for <script> get tainted and SRI cannot poke into
> tainted responses.)
>
>
> --
> https://annevankesteren.nl/
>



-- 
非常感谢~

屈光宇（ImQuQu.com）

Received on Thursday, 24 September 2015 03:33:27 UTC