- From: Francois Marier <francois@mozilla.com>
- Date: Wed, 23 Sep 2015 22:57:32 -0700
- To: public-webappsec@w3.org
On 23/09/15 09:19 AM, Anne van Kesteren wrote: > Only the blob URL should work per Fetch, to which SRI defers. (That is > because data URLs for <script> get tainted and SRI cannot poke into > tainted responses.) Should we make data: URIs non-eligible in the SRI spec to make this clear? Francois
Received on Thursday, 24 September 2015 05:58:02 UTC