- From: Frederik Braun <fbraun@mozilla.com>
- Date: Fri, 9 Sep 2016 09:28:37 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi, (This e-mail is assuming you are familiar with require-sri-for in the latest editor's draft at <https://w3c.github.io/webappsec-subresource-integrity/#parse-require-sri-for>.) People have asked for SRI reporting, SRI report-only. I suggest we bake all SRI/CSP interaction into a single CSP directive. Thus, I am suggesting we rename the require-sri-for directive into e.g., "sri-options". For now, the directive would understand the tokens 'require-script' and 'require-style' [1] What do you think? Freddy [1] With quotes or without, I don't really mind. CSP tokens in -src: directives that aren't URLs are quoted. Referrer-Policy is debating whether things should be quoted or not. I'd personally find it less confusing to have everything in quotes that is not a URL. Not all directives seem to follow this approach though (sandbox, reflected-xss, referrer).
Received on Friday, 9 September 2016 07:29:08 UTC