W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: [SRI] require-sri-for: missing integrity metadata? same-origin loads?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 9 Sep 2016 16:44:31 -0700
Message-ID: <CADYDTCAdtz-0kCRfxCbDKyJPfZzcVbsWZMKN5Fe3JjT1HaMkbQ@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Sep 9, 2016 at 4:23 PM, Francois Marier <francois@mozilla.com>
wrote:

> It does however mean that we need to be careful before blocking new
> sources of scripts in the future. Otherwise, we could end up with
> something like:
>

​We have to block all scripts, and any new scripts we invent in the future
as soon as they are invented.
​


> 1. Developer adds require-sri to their site and SRI to all scripts.
> 2. Browser 50 introduces MegaWorkers.
> 3. Developer takes advantage of MegaWorkers on their site.
> 4. Browser 51 adds MegaWorkers to require-sri.
>

​Browser 50 did a bad thing.

This has always been a potential issue with content loading in CSP in
general. If we invent Beacon, etc. then we have to make sure Beacon is
covered by some policy, falling back to default-src, right from the
beginning.​

-Dan Veditz
Received on Friday, 9 September 2016 23:45:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC