Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upExtend SRI to support integrity metadata on inline script/style blocks #44
Comments
This comment has been minimized.
This comment has been minimized.
|
totally fair to consider for sriv2. More curious about implementor interest. |
This comment has been minimized.
This comment has been minimized.
|
You guys tricked me into this again:) I'll take it. |
This comment has been minimized.
This comment has been minimized.
|
Apple wants it (see https://www.w3.org/2016/05/16-webappsec-minutes.html#item02 (+@johnwilander to confirm)). I wouldn't mind implementing in Chrome (though @metromoxie is the right person to ask). |
This comment has been minimized.
This comment has been minimized.
|
Oh I thought @devd meant feature implementor in the spec. |
This comment has been minimized.
This comment has been minimized.
|
@mikewest does Chrome support this in some way? Asking because of validator/validator#764 (comment). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@jhabdas could you create a minimal test? (I.e., a document with everything that isn't necessary to show the problem removed.) |
This comment has been minimized.
This comment has been minimized.
|
@annevk https://jhabdas.keybase.pub/after-dark-w3c-sri-44.htm reduced test case |
This comment has been minimized.
This comment has been minimized.
|
@jhabdas that still contains an awful lot of noise. Surely all the |
This comment has been minimized.
This comment has been minimized.
|
Feel free to ad lib. I don't like looking at stark white pages. |
This comment has been minimized.
This comment has been minimized.
|
@annevk: I missed this earlier, sorry I'm only seeing it now. Chrome's behavior is strange and buggy: In the absence of CSP: In the presence of CSP: I think we screwed up our implementation of https://w3c.github.io/webappsec-csp/#external-hash. The right way to fix it, IMO, is to do the work to define the integration of SRI with inline script, and to fix the text in CSP to match. Since I probably screwed up Chrome's implementation, I'll take responsibility for the spec work and find someone to fix Chrome accordingly. :/ |

Per F2F discussion , consider extending this specification to support integrity metadata on inline scripts(/styles?).
This also implies that
require-sri-forwill enforce integrity metadata on both inline and external resources types.WDYT @metromoxie, @devd, @mozfreddyb, @fmarier ?