Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRI: are there more problematic headers? #305

Closed
fmarier opened this issue Apr 25, 2015 · 5 comments
Closed

SRI: are there more problematic headers? #305

fmarier opened this issue Apr 25, 2015 · 5 comments
Labels
SRI
Milestone
SRI-v1-LC

Comments

@fmarier
Copy link
Member

fmarier commented Apr 25, 2015

Section 3.3.2 lists the following headers as making the resource ineligible for integrity checks:

  • Authorization or WWW-Authenticate
  • Refresh

Consider the impact of other headers: Content-Length, Content-Range, etc. Is there danger there?
@fmarier fmarier added this to the SRI-v1-LC milestone Apr 25, 2015
@fmarier fmarier added the SRI label Apr 25, 2015
fmarier pushed a commit to fmarier/webappsec that referenced this issue Apr 25, 2015
SRI: remove inline issue moved to w3c#305
5200f93
@fmarier fmarier mentioned this issue Apr 25, 2015
Merged
@mozfreddyb mozfreddyb mentioned this issue Apr 25, 2015
Closed
9 tasks
@annevk
Copy link
Member

annevk commented Apr 27, 2015

I think that section is largely bogus. Probably best to revisit it. Those headers would not exclude checks at all. This is why you need to fix Fetch integration.

@mozfreddyb
Copy link
Contributor

To clarify: This means, if we integrate nicely with fetch, you will define the headers for us, so we do not have to?

@annevk
Copy link
Member

annevk commented May 5, 2015

I don't see what needs to be defined about those headers? But if something needs to happen, that would need to fall out of integrating with Fetch.

@devd
Copy link
Contributor

devd commented May 17, 2015

Maybe we should just kill that section then? I think now that we have switched to requiring CORS, I don't see much point to this section either.

@devd devd mentioned this issue May 17, 2015
Closed
@hillbrad
Copy link
Contributor

+1 to remove this section. Since you need to be able to see the contents of a response for it to be eligible at this point, making further distinctions about whether content was "authenticated" or not seems to be of no practical value.

devd added a commit that referenced this issue May 28, 2015
@devd
Merge pull request #378 from fmarier/remove-problematic-headers
ba7314c 
SRI: Remove problematic headers section (fix #305)
mikewest pushed a commit to mikewest/webappsec that referenced this issue Jun 29, 2015
@tabatkins
Merge pull request w3c#305 from tantek/patch-11
48265df 
use time element for the date instead of two spans
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SRI
Projects
None yet
Milestone
SRI-v1-LC
Development

No branches or pull requests
5 participants
@devd @fmarier @annevk @hillbrad @mozfreddyb