W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: [CSP] "sri" source expression to enforce SRI

From: Frederik Braun <fbraun@mozilla.com>
Date: Wed, 10 Feb 2016 15:44:53 +0100
To: public-webappsec@w3.org
Message-ID: <56BB4CE5.8010702@mozilla.com>
On 09.02.2016 19:35, Craig Francis wrote:
> I'm forgetting the discussion a bit, but CSP already gives us:
> 
> block-all-mixed-content
> upgrade-insecure-requests
> 
> Maybe we could keep it as just one directive:
> 
> block-non-sri-resources
> 
> Or am I missing the more advanced cases like saying SRI is required for
> all JavaScript files, but not on CSS (doubt that is useful, as you might
> as well do both)... or maybe in the future SRI could be added to images,
> video, etc?

We'd need to think about compatibility assuming SRI will expand to other
tags.

I would be surprised if nobody wanted a report-mode and a block-mode and
a way to specify which subresources/elements should be subject to the
policy. (The list of elements could be abbreviated with a short-hand
form, e.g., "sri-v1" meaning scripts & styles.)

I guess this level of complexity (and Mark Nottingham's comment about
HPACK and entropy) warrants its own header?
Received on Wednesday, 10 February 2016 14:45:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC