-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the return value of "Parse metadata" consistent #86
Conversation
16c08d6
to
1d0edff
Compare
8e9e834
to
d2052ab
Compare
This is the opposite of #120. |
The output of this algorithm should be the same in all three cases: - the empty string - a list of one or more metadata with unrecognized hash functions - a list of one or more metadata with invalid ni URI This change makes the last two cases match the output of the first.
d2052ab
to
930ec20
Compare
I am not sure if the right thing is to return empty value from algorithm in all three cases or to treat all three as empty in the spec. The different values could allow for flexibility in the future, maybe? And I imagine UAs might want to implement that anyhow to differentiate warnings in the console. WDYT @mozfreddyb @metromoxie |
I don't feel too strongly either way. I think the point about warnings is good, but UAs could, of course, juts do that mid-algorithm anyway. |
@devd Speaking for the Firefox implementation, the algorithm in the spec is not really what I've implemented anyways. I do check for various ways in which things fail to be valid. However, I think these are implementation details and that the spec algorithm can omit these details and focus on being simple to understand and reason about. |
I hope that users and authors in our spec audience will outnumber us user agent people. So maybe we should optimize for clarity, not for implementation? (I was going to say priority of constituencies, but forgot the exact term.) |
I'd agree that you should optimize for clarity, but I would tentatively suggest that the prose in your specification is for authors and users, and it should explain enough for them to understand both the intent and impact of the feature. The algorithms are probably best written with implementers as the target audience. |
lets merge this for now and then take another edit pass at it later. I imagine we will need to edit the use of ni:// URIs too. |
Make the return value of "Parse metadata" consistent
This commit reintroduces a distinction that used to exist in the spec prior to 930ec20 (see w3c#86 and w3c#119). As [discussed on the list](https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0006.html), it helps developers catch mistakes by failing closed on CORS errors when the `integrity` attribute is non-empty (an indication that the developer meant to use SRI). Prior to this commit, `integrity` attributes which consists of only invalid metadata would fail open (silently load).
This commit reintroduces a distinction that used to exist in the spec prior to 930ec20 (see w3c#86 and w3c#119). As [discussed on the list](https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0006.html), it helps developers catch mistakes by failing closed on CORS errors when the `integrity` attribute is non-empty (an indication that the developer meant to use SRI). Prior to this commit, `integrity` attributes which consists of only invalid metadata would fail open (silently load).
The output of this algorithm should be the same in all three
cases:
This change makes the last two cases match the output of the first.