W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: [CSP] "sri" source expression to enforce SRI

From: Patrick Toomey <patrick.toomey@github.com>
Date: Thu, 17 Mar 2016 11:34:13 +0000
Message-ID: <CAN4Q8dB_JnYRyJBH22v=1x9Yy1HtA_Qk4hO5a=MAD83pCQKB=w@mail.gmail.com>
To: Mike West <mkwst@google.com>, Scott Helme <scotthelme@hotmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I think I am beginning to lean toward a separate directive for this as
well. Originally I felt the addition of a "require-sri" source expression
was simpler. But, it does muddle the entire notion of what a source
expression is and would make defining source expressions that much uglier
to formally define and implement. Defining this as its own directive seems
to simplify the specification and makes it more extensible going forward
if/when any changes are made to SRI itself.
On Thu, Mar 17, 2016 at 4:35 AM Mike West <mkwst@google.com> wrote:

> On Thu, Mar 17, 2016 at 11:11 AM, Scott Helme <scotthelme@hotmail.com>
> wrote:
>
>> At first glance it seems like a 'require-sri' keyword that you could drop
>> into default/script/style-src would be more straightforward.
>>
>
> I think it could make sense. I'm not opposed to it if someone wants to
> submit a PR. I think the separate directive would be _simpler_, but I'm
> totally willing to believe that it's not _better_. :)
>
>
>> If 'require-sri' became a new directive would it be an on/off setting
>> like 'upgrade-insecure-requests' or could you configure which resource
>> types it applies to? Would you need to?
>>
>
> I think you'd need to do something like `require-sri script image style`
> (or `require-sri *`) for this to be viable.
>
> -mike
>
Received on Thursday, 17 March 2016 11:34:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC