-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SRI: Respond to mnot comments #217
Comments
Re-reading to notice that this is some hefty feedback.
Also, CCing @mnot |
Another nit:
|
I think for the more complex issues, it is fine to create a new issue for discussion. |
Regarding 3.8, are we going to drop the CSP directive from V1? It's not implemented in Firefox (or Chrome as far as I know). |
Yeah we are Regarding 3.8, are we going to drop the CSP directive from V1? It's not — |
I just uploaded a pull request to address @mnot's suggestion to expand the option-value-chars. Note, however, that this pull request also adds "/" as a character since we hope to support MIME type's in the future, and those distinctly use "/". Let me know if you think I'm missing something by leaving "/" in. |
I resolved two more issues here because we are only relying on CORS now. Also, I don't think we are going to investigate the "support integrity metadata through headers" in v1. @mnot I couldn't find examples of mistaken use of resource or capital case must/should/ etc. Do you have notes on the cases where you thought the spec was wrong? I also don't understand your point about proxies/no-transform. The link seems to match what the spec wants to achieve: tell the proxy not to transform the body of the response? I am sure I am missing something but would be great if you can explain a bit more. |
WRT two issues resolved due to CORS - which ones? Re: must/may/should - I'll take another look and either point them out or make a pull. About proxies and no-transform - the problem is that a request cannot use no-transform to indicate that the response body should be left along; for better or worse, the semantics are restricted to the message that they occur within. |
I marked the following two as resolved: 3.2.2 ambiguity between response and request headers We have switched the spec to be completely CORS based and removed any magic about making a decision on whether something is eligible for integrity based on headers or auth or anything like that. Suggestions on what we should say about proxies/no-transform then? Also, for my own curiosity, what does "message they occur within" mean? |
So with what we've got right now, we're instructing proxies not to modify the request body? |
@fmarier - exactly so. |
Aah OK. So we should just kill that note Sent from my mobile device. Please forgive the brevity and tpyos.
|
This directive only applies to the request it's in. It doesn't apply to the response, which was the whole point of us adding that header. w3c#217 (comment)
Great, that makes Fetch integration a lot easier too. |
hey @mnot, friendly ping; this is the last issue for SRIv1 still open on our issue tracker. |
Remove FXTF abstract
The RFC2119-happyness is just an editorial comment, and shouldn't block anything; re-skimming the spec, it doesn't seem as bad now. WRT "resource" - most instances in the doc (there are currently 60) should be changed to "response." @annevk, thoughts? |
Seems reasonable. |
This directive only applies to the request it's in. It doesn't apply to the response, which was the whole point of us adding that header. w3c#217 (comment)
see https://readable-email.org/list/public-webappsec/topic/sri-updates-to-the-spec-and-outstanding-issues#content-3
Opening this as a tracker task just to make sure it doesn't fall through the cracks.
The text was updated successfully, but these errors were encountered: