[SRI] require-sri-for syntax and additional SRI/CSP interaction

Hi,

(This e-mail is assuming you are familiar with require-sri-for in the
latest editor's draft at
<https://w3c.github.io/webappsec-subresource-integrity/#parse-require-sri-for>.)

People have asked for SRI reporting, SRI report-only. I suggest we bake
all SRI/CSP interaction into a single CSP directive.

Thus, I am suggesting we rename the require-sri-for directive into e.g.,
"sri-options". For now, the directive would understand the tokens
'require-script' and 'require-style' [1]

What do you think?

Freddy


[1] With quotes or without, I don't really mind.

CSP tokens in -src: directives that aren't URLs are quoted.
Referrer-Policy is debating whether things should be quoted or not.
I'd personally find it less confusing to have everything in quotes that
is not a URL. Not all directives seem to follow this approach though
(sandbox, reflected-xss, referrer).

Received on Friday, 9 September 2016 07:29:08 UTC