Re: SRI: data URIs and Blob URL

On Thu, Sep 24, 2015 at 7:57 AM, Francois Marier <francois@mozilla.com> wrote:
> On 23/09/15 09:19 AM, Anne van Kesteren wrote:
>> Only the blob URL should work per Fetch, to which SRI defers. (That is
>> because data URLs for <script> get tainted and SRI cannot poke into
>> tainted responses.)
>
> Should we make data: URIs non-eligible in the SRI spec to make this clear?

It's actually a bit more complicated since it would work for fetch()
(and <img> whenever that gets integrity). Because XMLHttpRequest,
fetch(), and <img> set the same-origin data-URL flag which makes the
response CORS-same-origin rather than CORS-cross-origin (to use the
terms from HTML).


-- 
https://annevankesteren.nl/

Received on Thursday, 24 September 2015 07:07:36 UTC