Intent to Prototype: CSP require-sri-for
Yoav Weiss (@Shopify)
Contact emails
yoav...@chromium.orgExplainer
Not yetSpecification
Not yetSummary
The `require-sri-for` directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report.
Blink component
Blink>SecurityFeature>ContentSecurityPolicyMotivation
Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI. The `require-sri-for` CSP directive would enable developers achieve that.
Initial public proposal
This revives an old I2I for the ~same API.TAG review
Not yetTAG review status
Risks
Interoperability and Compatibility
No particular compatibility concern. It's too early to discuss interop risks, but at worst, this directive would apply (voluntary) content restrictions which won't be applied in non-supporting browsers. So I wouldn't expect content to break in other browsers.
Gecko: No signal. Haven't asked yet.
WebKit: No signal. Haven't asked yet.
Web developers: No signals, but I suspect PCIv4 would make some developers interested in making sure their documents' scripts have complete integrity checks.
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Is this feature fully tested by web-platform-tests?
YesFlag name on about://flags
NoneFinch feature name
RequireSRIForNon-finch justification
NoneRequires code in //chrome?
FalseEstimated milestones
No milestones specified