Intent to Implement: SRI: The `require-sri-for` CSP directive.

87 views

Skip to first unread message

Sergey Shekyan

unread,

Jul 13, 2016, 4:44:25 PM7/13/16

to blin...@chromium.org

Contact emails

she...@gmail.com, j...@chromium.org

Spec

https://w3c.github.io/webappsec-subresource-integrity/#request-verification-algorithms

Summary

The `require-sri-for` directive gives developers the ability to assert to the browser that every resource of a given type ought to be integrity checked. If a resource of that type is loaded without integrity metadata, it will be rejected without triggering a network request.

Motivation

Discussion started at this public-webappsec@ (https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html) thread motivated the implementation.

Ongoing technical constraints

Currently, if directive is present, integrity metadata presence is enforced even on resources that do not support SRI, like preload, workers, with having in mind the idea that SRI coverage will increase with time.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.

OWP launch tracking bug

https://crbug.com/618924

Link to entry on the feature dashboard

https://www.chromestatus.com/features/5635811978510336

Requesting approval to ship?

I guess so, probably once https://crbug.com/627966 is resolved.

Thanks,

Sergey Shekyan

Mike West

unread,

Jul 14, 2016, 1:22:17 AM7/14/16

to Sergey Shekyan, blink-dev

Note that Firefox already has an implementation of this directive behind a flag: https://bugzilla.mozilla.org/show_bug.cgi?id=1265318. Once we're confident that the implementation Sergey is putting together in https://codereview.chromium.org/2056183002/ is interoperable with Firefox's, we'll send out an intent to ship.