SRI should accept base64url encoded integrity metadata and be liberal with padding
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox115 | --- | fixed |
People
(Reporter: freddy, Assigned: freddy)
References
Details
(Whiteboard: [domsecurity-active], [wptsync upstream])
Attachments
(1 file, 1 obsolete file)
Assignee | ||
Comment 1•1 year ago
|
||
Updated•1 year ago
|
Comment 2•1 year ago
|
||
Can we get more explanation? Are we violating the spec? Need Chrome or web compatibility even if we aren't? something else?
From the patch this looks like it adds support for base64url hashes and is forgiving when the base64 padding is the wrong length or missing.
Assignee | ||
Comment 3•1 year ago
|
||
This is from a conversation in the whatwg chat on matrix. Annevk told me that due to testing he found out Safari and Chrome support base64url and Firefox does not.
In lieu of a realistic way to deprecating support gracefully, I started looking at what it may take to align our implementations here instead.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 4•1 year ago
|
||
Tests have shown that web pages use base64url encoded integrity
metadata when using SRI, as other browsers are already supporting it.
To align cross-browser behavior, we'll support base64url and base64
in parallel and update the tests from wpt at the same time.
Updated•1 year ago
|
Comment 7•1 year ago
|
||
bugherder |
Description
•