W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SRI: data URIs and Blob URL

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 24 Sep 2015 09:07:10 +0200
Message-ID: <CADnb78g4to3hwUyhHeUS+L5zsHb=2k7Ed5M6cfNdMEiL8BK4OQ@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Sep 24, 2015 at 7:57 AM, Francois Marier <francois@mozilla.com> wrote:
> On 23/09/15 09:19 AM, Anne van Kesteren wrote:
>> Only the blob URL should work per Fetch, to which SRI defers. (That is
>> because data URLs for <script> get tainted and SRI cannot poke into
>> tainted responses.)
> Should we make data: URIs non-eligible in the SRI spec to make this clear?

It's actually a bit more complicated since it would work for fetch()
(and <img> whenever that gets integrity). Because XMLHttpRequest,
fetch(), and <img> set the same-origin data-URL flag which makes the
response CORS-same-origin rather than CORS-cross-origin (to use the
terms from HTML).

Received on Thursday, 24 September 2015 07:07:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC