Re: [CSP] "sri" source expression to enforce SRI from Mike West on 2016-03-17 (public-webappsec@w3.org from March 2016)

From: Mike West <mkwst@google.com>
Date: Thu, 17 Mar 2016 11:31:30 +0100
To: Scott Helme <scotthelme@hotmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=dphm8Bwkk4dvm7D1Bv_m4Em5vT5nCvs-z-juhGOoyFAA@mail.gmail.com>

On Thu, Mar 17, 2016 at 11:11 AM, Scott Helme <scotthelme@hotmail.com>
wrote:

> At first glance it seems like a 'require-sri' keyword that you could drop
> into default/script/style-src would be more straightforward.
>

I think it could make sense. I'm not opposed to it if someone wants to
submit a PR. I think the separate directive would be _simpler_, but I'm
totally willing to believe that it's not _better_. :)

> If 'require-sri' became a new directive would it be an on/off setting like
> 'upgrade-insecure-requests' or could you configure which resource types it
> applies to? Would you need to?
>

I think you'd need to do something like `require-sri script image style`
(or `require-sri *`) for this to be viable.

-mike

Received on Thursday, 17 March 2016 10:32:19 UTC