Contact emails
Blink implementor and spec editor:
Other spec editors:
fran...@mozilla.com, fbr...@mozilla.com, d...@dropbox.com
Spec
https://w3c.github.io/webappsec/specs/subresourceintegrity/
Tag review info (upcoming):
https://github.com/w3ctag/spec-reviews/issues/43
Summary
Adds support for a new 'integrity' attribute for <link> and <script> elements that allows a developer to specify a hash value (or set of hash values) for the content of the resource. If the response for the resource does not match one of the hashes, it is a network error. Only applies to same origin or CORS enabled fetches.
Link to “Intent to Implement” blink-dev discussion
Intent to Implement conversation: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/hTDUpMk_TV8
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
None.
Debuggability
Console messages implemented for mismatching content and hashes.
Compatibility Risk
I believe the compatibility risk for this feature to be low. We have kept the syntax open for extensions to the feature going forward (such as specifying content types), so it is unlikely that we would invalidate usage of V1 syntax features. There is a chance we will deprecate particular hash functions that become insecure in the future, but that's built into the spec and feature.
OWP launch tracking bug?
https://crbug.com/355467
Entry on the feature dashboard
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
We're waiting for code review. If all goes well it will land in Firefox
Nightly in a few weeks.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=992096