W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: [CSP] "sri" source expression to enforce SRI

From: Scott Helme <scotthelme@hotmail.com>
Date: Wed, 16 Mar 2016 18:11:42 +0000
Message-ID: <BLU436-SMTP34CF7473B1BE88F9B1F694D98A0@phx.gbl>
To: public-webappsec@w3.org
I agree, I'd love to see some traction with this.

Angular will soon be providing the appropriate script tags with
integrity values for each release:
This makes deploying SRI a matter of copy and paste.

SRI is much easier to deploy than CSP and only requires maintenance when
you change the script/style tag itself, CSP requires ongoing knowledge
and maintenance.
I think adoption of SRI will likely eclipse CSP relatively soon, I'm
betting with you, not against!


Scott Helme / Information Security Consultant
PGP Key <https://scotthelme.co.uk/contact/>


Twitter <https://twitter.com/Scott_Helme>Facebook
<https://github.com/ScottHelme/>Skype <scott.helme87>

On 16/03/2016 17:18, Neil Matatall wrote:
> What can we do to get this moving? No matter the form, I don't think
> there's any disagreement about whether or not this is valuable. We're
> starting to see a proliferation of SRI attributes included in example
> snippets for 3rd party assets. It's my gut instinct* that SRI has the
> possibility of eclipsing CSP in terms of adoption, but that's a
> different topic. It sounds like CSP bloat and SRI changes are the
> biggest hurdles. Something that may alleviate both concerns:
>   block-non-sri-resources: stylesheets, scripts(, images, videos, unicorns)
> I would still love to see this as a part of CSP, especially if we're
> talking about adding something related to noopener
> https://twitter.com/mikewest/status/710025892970504193. Maybe this
> separate header value can also work as a directive, just remove [:,]
> * I'll take bets
> On Tue, Feb 16, 2016 at 5:44 AM, Patrick Toomey
> <patrick.toomey@github.com> wrote:
>> On Wed, Feb 10, 2016 at 7:47 AM Frederik Braun <fbraun@mozilla.com> wrote:
>>> On 09.02.2016 19:35, Craig Francis wrote:
>>>> I'm forgetting the discussion a bit, but CSP already gives us:
>>>> block-all-mixed-content
>>>> upgrade-insecure-requests
>>>> Maybe we could keep it as just one directive:
>>>> block-non-sri-resources
>>>> Or am I missing the more advanced cases like saying SRI is required for
>>>> all JavaScript files, but not on CSS (doubt that is useful, as you might
>>>> as well do both)... or maybe in the future SRI could be added to images,
>>>> video, etc?
>>> We'd need to think about compatibility assuming SRI will expand to other
>>> tags.
>>> I would be surprised if nobody wanted a report-mode and a block-mode and
>>> a way to specify which subresources/elements should be subject to the
>>> policy. (The list of elements could be abbreviated with a short-hand
>>> form, e.g., "sri-v1" meaning scripts & styles.)
>>> I guess this level of complexity (and Mark Nottingham's comment about
>>> HPACK and entropy) warrants its own header?
>> I'm curious where the line should be drawn between extending CSP and adding
>> a new header? Not having been involved with CSP from day one, maybe this has
>> already been discussed. But, I feel like CSP is a natural place to
>> centralize on browser based security policies (like x-frame-options
>> migrating to frame-ancestors). Adding a new header for each and every new
>> good idea for browser security doesn't seem to scale. As has been mentioned
>> in this thread prior, it feels like we are starting to bump up against
>> practical size consideration issues. Whether the CSP header itself grows too
>> large or we end up adding 50 headers to each HTTP response, there is an
>> issue of bloat. It would be a shame to place some artificial cap on good
>> ideas based on concerns for adding too many new headers and/or stretching
>> the size of the CSP header. I personally feel like moving toward a
>> centralized policy/manifest/resource sounds like the best way to handle
>> this, but I think most of that discussion is best had over in the "header
>> size and policy delivery" thread. I just wanted to bring it up here since I
>> think the "where do we put it" discussion should be deferred until later,
>> since it seems like this is a general concern for almost anything new that
>> is proposed.
Received on Thursday, 17 March 2016 09:42:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC