W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: data URIs and Blob URL

From: Francois Marier <francois@mozilla.com>
Date: Wed, 23 Sep 2015 22:57:32 -0700
Message-ID: <560390CC.8050503@mozilla.com>
To: public-webappsec@w3.org
On 23/09/15 09:19 AM, Anne van Kesteren wrote:
> Only the blob URL should work per Fetch, to which SRI defers. (That is
> because data URLs for <script> get tainted and SRI cannot poke into
> tainted responses.)

Should we make data: URIs non-eligible in the SRI spec to make this clear?

Francois
Received on Thursday, 24 September 2015 05:58:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC