I think I am beginning to lean toward a separate directive for this as well. Originally I felt the addition of a "require-sri" source expression was simpler. But, it does muddle the entire notion of what a source expression is and would make defining source expressions that much uglier to formally define and implement. Defining this as its own directive seems to simplify the specification and makes it more extensible going forward if/when any changes are made to SRI itself. On Thu, Mar 17, 2016 at 4:35 AM Mike West <mkwst@google.com> wrote: > On Thu, Mar 17, 2016 at 11:11 AM, Scott Helme <scotthelme@hotmail.com> > wrote: > >> At first glance it seems like a 'require-sri' keyword that you could drop >> into default/script/style-src would be more straightforward. >> > > I think it could make sense. I'm not opposed to it if someone wants to > submit a PR. I think the separate directive would be _simpler_, but I'm > totally willing to believe that it's not _better_. :) > > >> If 'require-sri' became a new directive would it be an on/off setting >> like 'upgrade-insecure-requests' or could you configure which resource >> types it applies to? Would you need to? >> > > I think you'd need to do something like `require-sri script image style` > (or `require-sri *`) for this to be viable. > > -mike >
Received on Thursday, 17 March 2016 11:34:51 UTC