Skip to content

Extend SRI to support integrity metadata on inline script/style blocks #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shekyan opened this issue Jun 22, 2016 · 11 comments · May be fixed by #86
Open

Extend SRI to support integrity metadata on inline script/style blocks #44

shekyan opened this issue Jun 22, 2016 · 11 comments · May be fixed by #86
Milestone

Comments

@shekyan
Copy link
Contributor

shekyan commented Jun 22, 2016

Per F2F discussion , consider extending this specification to support integrity metadata on inline scripts(/styles?).

This also implies that require-sri-for will enforce integrity metadata on both inline and external resources types.

WDYT @metromoxie, @devd, @mozfreddyb, @fmarier ?

@devd
Copy link
Contributor

devd commented Jun 23, 2016

totally fair to consider for sriv2. More curious about implementor interest.

@devd devd added this to the v2 milestone Jun 23, 2016
@shekyan
Copy link
Contributor Author

shekyan commented Jun 23, 2016

You guys tricked me into this again:) I'll take it.

@mikewest
Copy link
Member

mikewest commented Jun 23, 2016

Apple wants it (see https://www.w3.org/2016/05/16-webappsec-minutes.html#item02 (+@johnwilander to confirm)). I wouldn't mind implementing in Chrome (though @metromoxie is the right person to ask).

@shekyan
Copy link
Contributor Author

shekyan commented Jun 23, 2016

Oh I thought @devd meant feature implementor in the spec.

@annevk
Copy link
Member

annevk commented Feb 19, 2019

@mikewest does Chrome support this in some way? Asking because of validator/validator#764 (comment).

@ghost
Copy link

ghost commented Feb 25, 2019

screen shot 2019-02-25 at 7 25 31 pm

UA: YaBrowser 19.1.1.907 (64-bit)

All other inline scripts will run, but if, and only if, they contain integrity attribute with a valid SRI.

@annevk
Copy link
Member

annevk commented Feb 25, 2019

@JHabdas could you create a minimal test? (I.e., a document with everything that isn't necessary to show the problem removed.)

@ghost
Copy link

ghost commented Feb 26, 2019

@annevk
Copy link
Member

annevk commented Feb 26, 2019

@JHabdas that still contains an awful lot of noise. Surely all the style elements, SVG, etc. isn't needed? Seems to me you'd only need some CSP and a script element.

@ghost
Copy link

ghost commented Feb 26, 2019

Feel free to ad lib. I don't like looking at stark white pages.

@mikewest
Copy link
Member

@annevk: I missed this earlier, sorry I'm only seeing it now.

Chrome's behavior is strange and buggy:

In the absence of CSP: <script integrity="[any string at all]">...</script> will execute, as will <script integrity="[correct integrity metadata]">...</script>.

In the presence of CSP: <script integrity="[correct integrity metadata]">...</script> and <script integrity="[incorrect, but matching the policy, integrity metadata]">...</script> will execute, while <script integrity="[correct, but doesn't match the policy]">...</script> won't.

I think we screwed up our implementation of https://w3c.github.io/webappsec-csp/#external-hash. The right way to fix it, IMO, is to do the work to define the integration of SRI with inline script, and to fix the text in CSP to match. Since I probably screwed up Chrome's implementation, I'll take responsibility for the spec work and find someone to fix Chrome accordingly. :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants