- From: Henrik Andersson <henke@henke37.cjb.net>
- Date: Tue, 27 Sep 2016 12:14:33 +0200
- To: Jonathan Kingston <jonathan@jooped.co.uk>, www-style@w3.org, WebAppSec WG <public-webappsec@w3.org>
Jonathan Kingston skrev: > Hi WebAppSec and CSSWG, > > As part of the latest SRI spec work, there is a desire to put SRI > capabilities within CSS[1]. However this would be made simpler with a > closer integration of CSS with the fetch API on any <url> type properties. > > So I have started a draft [2], which I thought I would should share in > it's very rough stage to prevent it from stagnating. > > The draft covers a rough direction of how all <url> types will behave > when integrated with CSS, it also covers some of the further > specification of how referrer headers are handled within CSS. > > The draft also at the end covers the use of integrity and crossorigin > URL modifiers to be used in conjunction with the url data type to > restrict sub resources with the same checks as is possible in HTML. > > Feel free to respond here on thoughts and file issues on Github [3]. > > Thanks > > [1] > https://github.com/w3c/webappsec-subresource-integrity/issues/40#issuecomment-247964962 > [2] https://jonathankingston.github.io/css-fetch-integration/ > [3] > https://github.com/jonathanKingston/css-fetch-integration/tree/gh-pages > I think this will be an excellent opportunity to clarify what CSS-Images [1] means with "If the UA cannot download, parse, or otherwise successfully display the contents at the URL as an image". In particular with the corner case of an image request having a response with a 404 reply code, but an image type response body. HTML has some non obvious ideas about this. [2] "Whether the image is fetched successfully or not (e.g., whether the response status was an ok status <https://fetch.spec.whatwg.org/#ok-status>) must be ignored when determining the image’s type and whether it is a valid image." Unnatural as it is, authors probably expect CSS and HTML images to be have identically in this corner situation. [1] https://www.w3.org/TR/css3-images/#invalid-image [2] http://w3c.github.io/html/semantics-embedded-content.html#fully-decodable
Received on Tuesday, 27 September 2016 10:16:22 UTC