Enforce integrity() URL modifier for CSS resources [chromium/src : main]

[jj (Gerrit)]

Attention needed from Fredrik Söderquist and Mike West

jj voted and added 1 comment

Votes added by jj

Commit-Queue

+1

1 comment

File third_party/blink/renderer/core/loader/resource/svg_document_resource.cc

Line 113, Patchset 5 (Latest): // TODO(crbug.com/435625756): Surface the integrity failure to the

jj . resolved

I left this as a TODO here for now (and also in `image_resource.cc`) since it's not really clear to me how we can plumb through the failure from here to a `execution_context` in a non-ugly way. If you have any pointers on how we can achieve that, it would be much appreciated 😄

Open in Gerrit

Related details

Attention is currently required from:

• Fredrik Söderquist
• Mike West

Submit Requirements:

• Code-Coverage
• Code-Owners
• Code-Review
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: chromium/src

Gerrit-Branch: main

Gerrit-Change-Id: I852fd6ae3b5d93a9c6c5a38cf1979e99731d92cf

Gerrit-Change-Number: 7748032

Gerrit-PatchSet: 5

Gerrit-Owner: jj <j...@chromium.org>

Gerrit-Reviewer: Fredrik Söderquist <f...@opera.com>

Gerrit-Reviewer: Mike West <mk...@chromium.org>

Gerrit-Reviewer: jj <j...@chromium.org>

Gerrit-CC: Chromium LUCI CQ <chromiu...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-CC: Menard, Alexis <alexis...@intel.com>

Gerrit-CC: Nate Chapin <jap...@chromium.org>

Gerrit-CC: chromium...@chromium.org

Gerrit-Attention: Mike West <mk...@chromium.org>

Gerrit-Attention: Fredrik Söderquist <f...@opera.com>

Gerrit-Comment-Date: Sun, 12 Apr 2026 17:06:27 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: Yes

[Fredrik Söderquist (Gerrit)]

Attention needed from Mike West and jj

Fredrik Söderquist added 4 comments

File third_party/blink/renderer/core/loader/resource/image_resource.cc

Line 563, Patchset 7 (Latest): if (has_integrity) {
if (PassedIntegrityChecks()) {
UpdateImage(Data(), ImageResourceContent::kUpdateImage, true);
} else {


// TODO(crbug.com/435625756): Surface the integrity failure to the


// devtools console.
UpdateImage(nullptr, ImageResourceContent::kClearImageAndNotifyObservers,
/*all_data_received=*/true);
}
ClearData();
}

Fredrik Söderquist . unresolved

This changes the ordering in a way that may have additional side-effects. Perhaps it would be better to explicitly call `CheckResourceIntegrity` here instead (it should then be a no-op in `Resource::Finish`. I'm also not sure how integrity would interact with multipart, but if anyone has a use case for it I guess it can be solved... (But maybe ignore it in that case for now? Maybe Mike can shed some light there.)

File third_party/blink/renderer/core/loader/resource/svg_document_resource.cc

Line 109, Patchset 7 (Latest): if (has_integrity && !has_successful_revalidation) {
if (PassedIntegrityChecks()) {
notify_observers = UpdateContent();
} else {


// TODO(crbug.com/435625756): Surface the integrity failure to the


// devtools console.
content_->UpdateStatus(ResourceStatus::kLoadError);
notify_observers = true;
}
}

Fredrik Söderquist . unresolved

Same concern here.

File third_party/blink/web_tests/external/wpt/css/css-values/urls/integrity/url-image-integrity-negative.sub.html

Line 4, Patchset 7 (Latest):<link rel="match" href="../url-image-ref.html">

Fredrik Söderquist . unresolved

This test looks like it could use one of the pre-existing 100x100 (or other dimension) green rects.

File third_party/blink/web_tests/external/wpt/css/css-values/urls/integrity/url-image-integrity.sub.html

Line 4, Patchset 7 (Latest):<link rel="match" href="../url-image-ref.html">

Fredrik Söderquist . unresolved

Ditto here.

Open in Gerrit

Related details

Attention is currently required from:

• Mike West
• jj

Submit Requirements:

• Code-Coverage
• Code-Owners
• Code-Review

• No-Unresolved-Comments

• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: chromium/src

Gerrit-Branch: main

Gerrit-Change-Id: I852fd6ae3b5d93a9c6c5a38cf1979e99731d92cf

Gerrit-Change-Number: 7748032

Gerrit-PatchSet: 7

Gerrit-Owner: jj <j...@chromium.org>

Gerrit-Reviewer: Fredrik Söderquist <f...@opera.com>

Gerrit-Reviewer: Mike West <mk...@chromium.org>

Gerrit-Reviewer: jj <j...@chromium.org>

Gerrit-CC: Menard, Alexis <alexis...@intel.com>

Gerrit-CC: Nate Chapin <jap...@chromium.org>

Gerrit-CC: chromium...@chromium.org

Gerrit-CC: chromiu...@luci-project-accounts.iam.gserviceaccount.com <chromiu...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Mike West <mk...@chromium.org>

Gerrit-Attention: jj <j...@chromium.org>

Gerrit-Comment-Date: Mon, 13 Apr 2026 11:45:53 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: No

[Fredrik Söderquist (Gerrit)]

Attention needed from Mike West and jj

Fredrik Söderquist added 1 comment

Patchset-level comments

File-level comment, Patchset 7 (Latest):

Fredrik Söderquist . resolved

Oh, and we probably want to flag guard at least some of this? (The case where integrity was previously checked.)

Gerrit-Comment-Date: Mon, 13 Apr 2026 11:47:11 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: No