W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: [CSP] "sri" source expression to enforce SRI

From: Mike West <mkwst@google.com>
Date: Thu, 17 Mar 2016 11:31:30 +0100
Message-ID: <CAKXHy=dphm8Bwkk4dvm7D1Bv_m4Em5vT5nCvs-z-juhGOoyFAA@mail.gmail.com>
To: Scott Helme <scotthelme@hotmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Mar 17, 2016 at 11:11 AM, Scott Helme <scotthelme@hotmail.com>
wrote:

> At first glance it seems like a 'require-sri' keyword that you could drop
> into default/script/style-src would be more straightforward.
>

I think it could make sense. I'm not opposed to it if someone wants to
submit a PR. I think the separate directive would be _simpler_, but I'm
totally willing to believe that it's not _better_. :)


> If 'require-sri' became a new directive would it be an on/off setting like
> 'upgrade-insecure-requests' or could you configure which resource types it
> applies to? Would you need to?
>

I think you'd need to do something like `require-sri script image style`
(or `require-sri *`) for this to be viable.

-mike
Received on Thursday, 17 March 2016 10:32:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC