W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2019

Re: Questions regarding SRI

From: Francois Marier <francois@brave.com>
Date: Fri, 13 Sep 2019 10:09:55 -0700
To: public-webappsec@w3.org
Message-ID: <30a00c04-b09d-0057-ecc3-eac1ebc1d5f5@brave.com>
On 2019-09-11 22:20, Vibha Sethi wrote:
> I had a question regarding SRI. Wondering if SRI supports report-only
> mode where in if the signature for a given resource does not match, the
> browser sends a report but does not block resource from getting loaded
> on the page. 

It does not support such a reporting mode.

To get something like that, you'd have to write JS code to monitor for
network errors (i.e. `onerror` attribute) and then dynamically insert a
script element for the same script but without an `integrity` attribute.

That said, these errors should not happen since SRI is only meant to be
used for immutable resources. If a site wants to load a script that
might change, then it should do so without SRI.

Francois
Received on Friday, 13 September 2019 17:10:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 13 September 2019 17:10:20 UTC