Rename digest to integrity as digest is wrong #5
Comments
|
I think by essentially reporting the integrity metadata it will also be forward-compatible with Signature-Based-SRI. |
|
In the CSP PR the replaces this, I initially went with "hash". I can switch that to "integrity" if you feel that's better. I'd also appreciate your thoughts on that PR in terms of the format of the "hash"/"integrity". Currently it's just the "sha-256" output of applying algorithm to bytes, without an indication of the algorithm used. |
|
Maybe I misunderstood. Say the HTML says this and <script src=... integrity="unsupported-baz sha512-foo sha256-bar">What string do we report? |
|
The current algorithm effectively calculates the the hash of the script contents using "sha-256" and reports that. So in your example, assuming that the asset actually loads (and passes the integrity checks), we'd report "sha256-bar" (according to the current algorithm). |
|
I misunderstood what this is doing. I thought this was exclusively for SRI failures. |
|
Closing as this is no longer relevant. Thanks! |
That's the publicly used name in Fetch and HTML. I think we should stay consistent with that.
(But also, it seems you want to include more than just the digest (and the examples do). The cryptographic hash function is not part of the digest.)
The text was updated successfully, but these errors were encountered: