Re: [CSP][SRI] block-non-sri-resources: * or no *? from Daniel Veditz on 2016-04-01 (public-webappsec@w3.org from April 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 31 Mar 2016 17:17:33 -0700
To: Neil Matatall <oreoshake@github.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCAqSH0m4vTVwdmCyij7055p1xyU+Q1=VgsnLkT52G8Gvg@mail.gmail.com>

On Thu, Mar 31, 2016 at 3:18 PM, Neil Matatall <oreoshake@github.com> wrote:

> During the last teleconference [1], we discussed the future of using
> `*` as a source expression in a `block-non-sri-resources` context.
> Whether this lands as part of CSP, in a separate header, etc. we
> should decide if `*` is allowed as a value.
>

We have the option of not deciding yet: '*' currently isn't a whole lot
shorter than the only supported values of 'script' 'style'. Later, when
we do introduce all those other possible values we can also introduce '*'.

That will introduce the problem of future websites using '*' and old
browsers not understanding it. That's probably OK given that the two
browser engines which currently support SRI update quickly. In practice we
should be fine.

-Dan Veditz

Received on Friday, 1 April 2016 00:18:02 UTC