Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend SRI to support integrity metadata on inline script/style blocks #44

Open
shekyan opened this issue Jun 22, 2016 · 11 comments · May be fixed by #86
Open

Extend SRI to support integrity metadata on inline script/style blocks #44

shekyan opened this issue Jun 22, 2016 · 11 comments · May be fixed by #86
Milestone

Comments

@shekyan
Copy link
Contributor

@shekyan shekyan commented Jun 22, 2016

Per F2F discussion , consider extending this specification to support integrity metadata on inline scripts(/styles?).

This also implies that require-sri-for will enforce integrity metadata on both inline and external resources types.

WDYT @metromoxie, @devd, @mozfreddyb, @fmarier ?

@devd

This comment has been minimized.

Copy link
Contributor

@devd devd commented Jun 23, 2016

totally fair to consider for sriv2. More curious about implementor interest.

@shekyan

This comment has been minimized.

Copy link
Contributor Author

@shekyan shekyan commented Jun 23, 2016

You guys tricked me into this again:) I'll take it.

@mikewest

This comment has been minimized.

Copy link
Member

@mikewest mikewest commented Jun 23, 2016

Apple wants it (see https://www.w3.org/2016/05/16-webappsec-minutes.html#item02 (+@johnwilander to confirm)). I wouldn't mind implementing in Chrome (though @metromoxie is the right person to ask).

@shekyan

This comment has been minimized.

Copy link
Contributor Author

@shekyan shekyan commented Jun 23, 2016

Oh I thought @devd meant feature implementor in the spec.

@annevk

This comment has been minimized.

Copy link
Member

@annevk annevk commented Feb 19, 2019

@mikewest does Chrome support this in some way? Asking because of validator/validator#764 (comment).

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Feb 25, 2019

screen shot 2019-02-25 at 7 25 31 pm

UA: YaBrowser 19.1.1.907 (64-bit)

All other inline scripts will run, but if, and only if, they contain integrity attribute with a valid SRI.

@annevk

This comment has been minimized.

Copy link
Member

@annevk annevk commented Feb 25, 2019

@jhabdas could you create a minimal test? (I.e., a document with everything that isn't necessary to show the problem removed.)

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Feb 26, 2019

@ghost ghost mentioned this issue Feb 26, 2019
@annevk

This comment has been minimized.

Copy link
Member

@annevk annevk commented Feb 26, 2019

@jhabdas that still contains an awful lot of noise. Surely all the style elements, SVG, etc. isn't needed? Seems to me you'd only need some CSP and a script element.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Feb 26, 2019

Feel free to ad lib. I don't like looking at stark white pages.

@mikewest

This comment has been minimized.

Copy link
Member

@mikewest mikewest commented Dec 16, 2019

@annevk: I missed this earlier, sorry I'm only seeing it now.

Chrome's behavior is strange and buggy:

In the absence of CSP: <script integrity="[any string at all]">...</script> will execute, as will <script integrity="[correct integrity metadata]">...</script>.

In the presence of CSP: <script integrity="[correct integrity metadata]">...</script> and <script integrity="[incorrect, but matching the policy, integrity metadata]">...</script> will execute, while <script integrity="[correct, but doesn't match the policy]">...</script> won't.

I think we screwed up our implementation of https://w3c.github.io/webappsec-csp/#external-hash. The right way to fix it, IMO, is to do the work to define the integration of SRI with inline script, and to fix the text in CSP to match. Since I probably screwed up Chrome's implementation, I'll take responsibility for the spec work and find someone to fix Chrome accordingly. :/

mikewest added a commit that referenced this issue Dec 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.