[w3ctag/design-reviews] `require-sri-for` CSP directive (Issue #1048) from Yoav Weiss on 2025-02-06 (public-webapps-github@w3.org from February 2025)

From: Yoav Weiss <notifications@github.com>
Date: Thu, 06 Feb 2025 09:31:14 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1048@github.com>

こんにちは TAG-さん!

I'm requesting a TAG review of the `require-sri-for` CSP directive.

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.

The `require-sri-for` CSP directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report.

  - [Explainer](https://github.com/w3c/webappsec-subresource-integrity/pull/129#:~:text=for%20some%20assets.-,require%2Dsri%2Dfor%20CSP%20directive,-Subresource%2DIntegrity%20)
  - [Specification](https://github.com/w3c/webappsec-subresource-integrity/pull/129)
  - [WPT Tests](https://chromium-review.googlesource.com/c/chromium/src/+/5877633)
  - User research: N/A
  - [Security and Privacy self-review](https://gist.github.com/yoavweiss/f37591d1a59da457d07d117d198868d6)
  - [GitHub repo](https://github.com/w3c/webappsec-subresource-integrity) 
  - Primary contacts:
      - Yoav Weiss (@yoavweiss), Shopify, implementer
  - Organization/project driving the specification: Shopify
  - Multi-stakeholder support³:
    - [Chromium comments](https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ)
    - Mozilla comments: https://github.com/mozilla/standards-positions/issues/NNN
    - WebKit comments: https://github.com/WebKit/standards-positions/issues/NNN
    - (Ancient) [developer signal](https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html)
  - Status/issue trackers for implementations⁴:

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Previous early design review, if any: N/A
  - Relevant time constraints or deadlines: I'd like to ship this soon
  - The group where the work on this specification is currently being done: WebAppSec
  - The group where standardization of this work is intended to be done (if different from the current group):
  - Major unresolved issues with or opposition to this specification:
  - This work is being funded by: Shopify


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1048
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1048@github.com>

Received on Thursday, 6 February 2025 17:31:18 UTC