- From: Francois Marier <francois@brave.com>
- Date: Fri, 13 Sep 2019 10:09:55 -0700
- To: public-webappsec@w3.org
On 2019-09-11 22:20, Vibha Sethi wrote: > I had a question regarding SRI. Wondering if SRI supports report-only > mode where in if the signature for a given resource does not match, the > browser sends a report but does not block resource from getting loaded > on the page. It does not support such a reporting mode. To get something like that, you'd have to write JS code to monitor for network errors (i.e. `onerror` attribute) and then dynamically insert a script element for the same script but without an `integrity` attribute. That said, these errors should not happen since SRI is only meant to be used for immutable resources. If a site wants to load a script that might change, then it should do so without SRI. Francois
Received on Friday, 13 September 2019 17:10:18 UTC