You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On script/style pre-request checks, if the integrity hashes match then we skip source-based matching check. This means that script-src 'self' 'sha512-abc' passes the pre-request check for a cross-origin script with matching hash.
However, that would be blocked on post-request, since we have no logic for hashes there anymore.
As with nonces, I believe we would like to allow the request in this case.
The text was updated successfully, but these errors were encountered:
On script/style pre-request checks, if the integrity hashes match then we skip source-based matching check. This means that
script-src 'self' 'sha512-abc'
passes the pre-request check for a cross-origin script with matching hash.However, that would be blocked on post-request, since we have no logic for hashes there anymore.
As with nonces, I believe we would like to allow the request in this case.
The text was updated successfully, but these errors were encountered: