W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [CSP][SRI] block-non-sri-resources: * or no *?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 31 Mar 2016 17:17:33 -0700
Message-ID: <CADYDTCAqSH0m4vTVwdmCyij7055p1xyU+Q1=VgsnLkT52G8Gvg@mail.gmail.com>
To: Neil Matatall <oreoshake@github.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Mar 31, 2016 at 3:18 PM, Neil Matatall <oreoshake@github.com> wrote:

> During the last teleconference [1], we discussed the future of using
> `*` as a source expression in a `block-non-sri-resources` context.
> Whether this lands as part of CSP, in a separate header, etc. we
> should decide if `*` is allowed as a value.

​We have the option of not deciding yet: '*' currently isn't a whole lot
shorter than the only supported values of ​'script' 'style'​. Later, when
we do introduce all those other possible values we can also introduce '*'.

That will introduce the problem of future websites using '*' and old
browsers not understanding it. That's probably OK given that the two
browser engines which currently support SRI update quickly. In practice we
should be fine.

-Dan Veditz
Received on Friday, 1 April 2016 00:18:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC