W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: [CSP] "sri" source expression to enforce SRI

From: Mike West <mkwst@google.com>
Date: Thu, 17 Mar 2016 11:31:30 +0100
Message-ID: <CAKXHy=dphm8Bwkk4dvm7D1Bv_m4Em5vT5nCvs-z-juhGOoyFAA@mail.gmail.com>
To: Scott Helme <scotthelme@hotmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Mar 17, 2016 at 11:11 AM, Scott Helme <scotthelme@hotmail.com>

> At first glance it seems like a 'require-sri' keyword that you could drop
> into default/script/style-src would be more straightforward.

I think it could make sense. I'm not opposed to it if someone wants to
submit a PR. I think the separate directive would be _simpler_, but I'm
totally willing to believe that it's not _better_. :)

> If 'require-sri' became a new directive would it be an on/off setting like
> 'upgrade-insecure-requests' or could you configure which resource types it
> applies to? Would you need to?

I think you'd need to do something like `require-sri script image style`
(or `require-sri *`) for this to be viable.

Received on Thursday, 17 March 2016 10:32:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC