[SRI] require-sri-for syntax and additional SRI/CSP interaction from Frederik Braun on 2016-09-09 (public-webappsec@w3.org from September 2016)

From: Frederik Braun <fbraun@mozilla.com>
Date: Fri, 9 Sep 2016 09:28:37 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <85fab1a6-7614-936f-fa16-4c4757f8150c@mozilla.com>

Hi,

(This e-mail is assuming you are familiar with require-sri-for in the
latest editor's draft at
<https://w3c.github.io/webappsec-subresource-integrity/#parse-require-sri-for>.)

People have asked for SRI reporting, SRI report-only. I suggest we bake
all SRI/CSP interaction into a single CSP directive.

Thus, I am suggesting we rename the require-sri-for directive into e.g.,
"sri-options". For now, the directive would understand the tokens
'require-script' and 'require-style' [1]

What do you think?

Freddy


[1] With quotes or without, I don't really mind.

CSP tokens in -src: directives that aren't URLs are quoted.
Referrer-Policy is debating whether things should be quoted or not.
I'd personally find it less confusing to have everything in quotes that
is not a URL. Not all directives seem to follow this approach though
(sandbox, reflected-xss, referrer).

Received on Friday, 9 September 2016 07:29:08 UTC