-
Notifications
You must be signed in to change notification settings - Fork 35
Extend SRI to support integrity metadata on inline script/style blocks #44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
totally fair to consider for sriv2. More curious about implementor interest. |
You guys tricked me into this again:) I'll take it. |
Apple wants it (see https://www.w3.org/2016/05/16-webappsec-minutes.html#item02 (+@johnwilander to confirm)). I wouldn't mind implementing in Chrome (though @metromoxie is the right person to ask). |
Oh I thought @devd meant feature implementor in the spec. |
@mikewest does Chrome support this in some way? Asking because of validator/validator#764 (comment). |
@JHabdas could you create a minimal test? (I.e., a document with everything that isn't necessary to show the problem removed.) |
@annevk https://jhabdas.keybase.pub/after-dark-w3c-sri-44.htm reduced test case |
@JHabdas that still contains an awful lot of noise. Surely all the |
Feel free to ad lib. I don't like looking at stark white pages. |
@annevk: I missed this earlier, sorry I'm only seeing it now. Chrome's behavior is strange and buggy: In the absence of CSP: In the presence of CSP: I think we screwed up our implementation of https://w3c.github.io/webappsec-csp/#external-hash. The right way to fix it, IMO, is to do the work to define the integration of SRI with inline script, and to fix the text in CSP to match. Since I probably screwed up Chrome's implementation, I'll take responsibility for the spec work and find someone to fix Chrome accordingly. :/ |
Uh oh!
There was an error while loading. Please reload this page.
Per F2F discussion , consider extending this specification to support integrity metadata on inline scripts(/styles?).
This also implies that
require-sri-for
will enforce integrity metadata on both inline and external resources types.WDYT @metromoxie, @devd, @mozfreddyb, @fmarier ?
The text was updated successfully, but these errors were encountered: