Re: [CSP] "sri" source expression to enforce SRI

On Thu, Mar 17, 2016 at 11:11 AM, Scott Helme <>

> At first glance it seems like a 'require-sri' keyword that you could drop
> into default/script/style-src would be more straightforward.

I think it could make sense. I'm not opposed to it if someone wants to
submit a PR. I think the separate directive would be _simpler_, but I'm
totally willing to believe that it's not _better_. :)

> If 'require-sri' became a new directive would it be an on/off setting like
> 'upgrade-insecure-requests' or could you configure which resource types it
> applies to? Would you need to?

I think you'd need to do something like `require-sri script image style`
(or `require-sri *`) for this to be viable.


Received on Thursday, 17 March 2016 10:32:19 UTC