Permalink
Browse files
Added a note on `require-sri-for` matching
- Loading branch information...
Showing
with
7 additions
and
0 deletions.
-
+7
−0
index.bikeshed.bs
|
|
@@ -384,6 +384,7 @@ The following list contains the set of <dfn noexport>known tokens</dfn>: |
|
|
* `script` requires SRI for scripts
|
|
|
* `style` requires SRI for style sheets
|
|
|
|
|
|
+
|
|
|
### Parsing `require-sri-for` ### {#parse-require-sri-for}
|
|
|
|
|
|
Given a string (|token list|), this algorithm returns a list of resource
|
|
|
@@ -411,6 +412,12 @@ Given a <a>request</a> (|request|) and a <a>policy</a> (|policy|): |
|
|
one token in |protected resource types|, and |request|'s integrity metadata
|
|
|
is the empty string, return "Blocked".
|
|
|
|
|
|
+ Note: This logic means that request with matched <a>destination</a> and missing <a>integrity metadata</a>
|
|
|
+ will be blocked even if it is not currently possible to set it's <a>integrity metadata</a>.
|
|
|
+ Such requests are originated by, for example, <code>importScripts()</code>, CSS' <code>@import</code>,
|
|
|
+ or `script`/`style` elements without crossorigin content attribute.
|
|
|
+
|
|
|
+
|
|
|
3. Return "Allowed".
|
|
|
|
|
|
<div class="example">
|
|
|
|
0 comments on commit
29db421