Re: SRI: data URIs and Blob URL from Anne van Kesteren on 2015-09-24 (public-webappsec@w3.org from September 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 24 Sep 2015 09:07:10 +0200
To: Francois Marier <francois@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78g4to3hwUyhHeUS+L5zsHb=2k7Ed5M6cfNdMEiL8BK4OQ@mail.gmail.com>

On Thu, Sep 24, 2015 at 7:57 AM, Francois Marier <francois@mozilla.com> wrote:
> On 23/09/15 09:19 AM, Anne van Kesteren wrote:
>> Only the blob URL should work per Fetch, to which SRI defers. (That is
>> because data URLs for <script> get tainted and SRI cannot poke into
>> tainted responses.)
>
> Should we make data: URIs non-eligible in the SRI spec to make this clear?

It's actually a bit more complicated since it would work for fetch()
(and <img> whenever that gets integrity). Because XMLHttpRequest,
fetch(), and <img> set the same-origin data-URL flag which makes the
response CORS-same-origin rather than CORS-cross-origin (to use the
terms from HTML).

-- 
https://annevankesteren.nl/

Received on Thursday, 24 September 2015 07:07:36 UTC