Open vogtm opened 1 month ago
While this might be quite a niche topic, it seems like an interop issue. I hope this is the right place to document it
Considering this simple setup:
<head> <link rel="stylesheet" href="demo.css" > </head>
It's loading normally.
<head> <link rel="stylesheet" href="demo.css" integrity="..." crossorigin="anonymous"> </head>
The ressource will be allowed in Chrome, FF and Safari.
<head> <link rel="stylesheet" href="demo.css" integrity="sha256-AAA" crossorigin="anonymous"> </head>
The ressource will be blocked in all thre browers.
<head> <link rel="stylesheet" href="demo.css" integrity="sha256-..." crossorigin="anonymous"> </head>
The ressource will be allowed in Chrome and Safari but blocked in FF.
I wasn't really able to clearly pinpoint what should be the correct behaviour. I think this is not completely clear and still in open discussion https://github.com/w3c/webappsec-subresource-integrity/issues/120 But still a clear difference between browsers.
While this might be quite a niche topic, it seems like an interop issue. I hope this is the right place to document it
Considering this simple setup:
It's loading normally.
The ressource will be allowed in Chrome, FF and Safari.
The ressource will be blocked in all thre browers.
The ressource will be allowed in Chrome and Safari but blocked in FF.
I wasn't really able to clearly pinpoint what should be the correct behaviour. I think this is not completely clear and still in open discussion https://github.com/w3c/webappsec-subresource-integrity/issues/120 But still a clear difference between browsers.