ISSUE-36: hash as a source expression for csp 1.1

hash as a source expression for csp 1.1

State:
CLOSED
Product:
CSP Level 2
Raised by:
Opened on:
2012-11-02
Description:
trying a fetch of remote content before checking the hash may have undesirable CSRF-like effects, so the group believes that a hash source expression should only apply to inline resources - for remote resources it should be combined with future work on sub-resource integrity

name/scheme of this source expression should probably be something like inline-hash to be clear?
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

would this just apply to inline content or potentially also to remote content?

Brad Hill, 25 Apr 2013, 18:41:26

This is in 1.1, does not apply to remote content.

Mike West, 10 Feb 2014, 13:20:56

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 36.html,v 1.1 2020/01/17 08:52:30 carcone Exp $