W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: data URIs and Blob URL

From: Jerry Qu <quguangyu@gmail.com>
Date: Thu, 24 Sep 2015 11:32:59 +0800
Message-ID: <CAGGh6wz+_wyZqXM2FguLkQ1-=mTJYcFvtx09ADyeJtWcodVR5g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Thank you, I got it.

It seems that Chrome's implementation followed the SRI spec.

On Thu, Sep 24, 2015 at 12:19 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Wed, Sep 23, 2015 at 5:50 PM, Jerry Qu <quguangyu@gmail.com> wrote:
> > May the SRI spec give some specific recommendations for this?
>
> Only the blob URL should work per Fetch, to which SRI defers. (That is
> because data URLs for <script> get tainted and SRI cannot poke into
> tainted responses.)
>
>
> --
> https://annevankesteren.nl/
>



-- 
非常感谢~

屈光宇(ImQuQu.com)
Received on Thursday, 24 September 2015 03:33:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC