- From: Frederik Braun <fbraun@mozilla.com>
- Date: Wed, 10 Feb 2016 15:44:53 +0100
- To: public-webappsec@w3.org
On 09.02.2016 19:35, Craig Francis wrote: > I'm forgetting the discussion a bit, but CSP already gives us: > > block-all-mixed-content > upgrade-insecure-requests > > Maybe we could keep it as just one directive: > > block-non-sri-resources > > Or am I missing the more advanced cases like saying SRI is required for > all JavaScript files, but not on CSS (doubt that is useful, as you might > as well do both)... or maybe in the future SRI could be added to images, > video, etc? We'd need to think about compatibility assuming SRI will expand to other tags. I would be surprised if nobody wanted a report-mode and a block-mode and a way to specify which subresources/elements should be subject to the policy. (The list of elements could be abbreviated with a short-hand form, e.g., "sri-v1" meaning scripts & styles.) I guess this level of complexity (and Mark Nottingham's comment about HPACK and entropy) warrants its own header?
Received on Wednesday, 10 February 2016 14:45:26 UTC