Re: [SRI] require-sri-for: missing integrity metadata? same-origin loads? from Daniel Veditz on 2016-09-09 (public-webappsec@w3.org from September 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 9 Sep 2016 16:44:31 -0700
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCAdtz-0kCRfxCbDKyJPfZzcVbsWZMKN5Fe3JjT1HaMkbQ@mail.gmail.com>

On Fri, Sep 9, 2016 at 4:23 PM, Francois Marier <francois@mozilla.com>
wrote:

> It does however mean that we need to be careful before blocking new
> sources of scripts in the future. Otherwise, we could end up with
> something like:
>

We have to block all scripts, and any new scripts we invent in the future
as soon as they are invented.

> 1. Developer adds require-sri to their site and SRI to all scripts.
> 2. Browser 50 introduces MegaWorkers.
> 3. Developer takes advantage of MegaWorkers on their site.
> 4. Browser 51 adds MegaWorkers to require-sri.
>

Browser 50 did a bad thing.

This has always been a potential issue with content loading in CSP in
general. If we invent Beacon, etc. then we have to make sure Beacon is
covered by some policy, falling back to default-src, right from the
beginning.

-Dan Veditz

Received on Friday, 9 September 2016 23:45:00 UTC