- <li><ahref="#get-the-strongest-metadata"><spanclass="secno">3.3.4</span> <spanclass="content">Get the strongest metadata from <var>set</var></span></a>
- <li><ahref="#does-response-match-metadatalist"><spanclass="secno">3.3.5</span> <spanclass="content">Does <var>response</var> match <var>metadataList</var>?</span></a>
+ <li><ahref="#apply-algorithm-to-request"><spanclass="secno">3.3.3</span> <spanclass="content">Apply <var>algorithm</var> to <var>request</var></span></a>
</ol>
- <li><ahref="#verification-of-html-document-subresources"><spanclass="secno">3.4</span> <spanclass="content">Verification of HTML document subresources</span></a>
+ <li><ahref="#get-the-strongest-metadata"><spanclass="secno">3.4.4</span> <spanclass="content">Get the strongest metadata from <var>set</var></span></a>
+ <li><ahref="#does-response-match-metadatalist"><spanclass="secno">3.4.5</span> <spanclass="content">Does <var>response</var> match <var>metadataList</var>?</span></a>
+ </ol>
+ <li><ahref="#verification-of-html-document-subresources"><spanclass="secno">3.5</span> <spanclass="content">Verification of HTML document subresources</span></a>
- <li><ahref="#link-element-for-stylesheets"><spanclass="secno">3.8.1</span> <spanclass="content">The <code>link</code> element for stylesheets</span></a>
+ <li><ahref="#link-element-for-stylesheets"><spanclass="secno">3.9.1</span> <spanclass="content">The <code>link</code> element for stylesheets</span></a>
<p>In this case, the user agent will choose the strongest hash function in the
list, and use that metadata to validate the response (as described below in
-the <ahref="#parse-metadata">§3.3.3 Parse metadata</a> and <ahref="#get-the-strongest-metadata">§3.3.4 Get the strongest metadata from set</a> algorithms).</p>
+the <ahref="#parse-metadata">§3.4.3 Parse metadata</a> and <ahref="#get-the-strongest-metadata">§3.4.4 Get the strongest metadata from set</a> algorithms).</p>
<p>When a hash function is determined to be insecure, user agents SHOULD deprecate
and eventually remove support for integrity validation using the insecure hash
function. User agents MAY check the validity of responses using a digest based on
a deprecated function.</p>
<p>To allow authors to switch to stronger hash functions without being held back by older
user agents, validation using unsupported hash functions acts like no integrity value
-was provided (see the <ahref="#does-response-match-metadatalist">§3.3.5 Does response match metadataList?</a> algorithm below).
+was provided (see the <ahref="#does-response-match-metadatalist">§3.4.5 Does response match metadataList?</a> algorithm below).
Authors are encouraged to use strong hash functions, and to begin migrating to
stronger hash functions as they become available.</p>
+ <p>Authors may opt a Document to require SRI metadata be present for
+some resource types via a <dfnclass="dfn-paneled"data-dfn-type="dfn"data-export=""data-lt="require-sri-for"id="require-sri-for">require-sri-for<spanclass="dfn-panel"data-deco=""><b><ahref="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b><span><ahref="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a></span></span></dfn> <adata-link-type="dfn"href="https://www.w3.org/TR/CSP/#content-security-policy">Content
+Security Policy</a> directive defined by the following ABNF grammar:</p>
+ <p>To parse the <var>token</var> list, the user agent MUST use an algorithm equivalent to the following:</p>
+ <ol>
+ <lidata-md="">
+ <p>Let the set of <var>protected resource types</var> that require SRI be the empty set.</p>
+ <lidata-md="">
+ <p>For each token returned by <adata-link-type="dfn"href="http://www.w3.org/TR/html5/scripting-1.html#split-a-string-on-spaces">splitting tokens on spaces</a>,
+if token matches the grammar for <adata-link-type="dfn"href="#require-sri-for"id="ref-for-require-sri-for-1">require-sri-for</a>,
+add the token to the set of <var>protected resource types</var>. Otherwise, ignore the token.</p>
+ <lidata-md="">
+ <p>Return the set of <var>protected resource types</var>.</p>
+ </ol>
+ <h4class="heading settled"data-level="3.3.3"id="apply-algorithm-to-request"><spanclass="secno">3.3.3. </span><spanclass="content">Apply <var>algorithm</var> to <var>request</var></span><aclass="self-link"href="#apply-algorithm-to-request"></a></h4>
+ <ol>
+ <lidata-md="">
+ <p>Let <var>protected resource types</var> be the result of <ahref="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a>.</p>
+ <lidata-md="">
+ <p>If <var>request</var>’s type is a <adata-link-type="dfn"href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ASCII case-insensitive match</a> for at least
+one token in <var>protected resource types</var>, and <var>request</var>’s integrity metadata
+ <h4class="heading settled"data-level="3.4.1"id="apply-algorithm-to-response"><spanclass="secno">3.4.1. </span><spanclass="content">Apply <var>algorithm</var> to <var>response</var></span><aclass="self-link"href="#apply-algorithm-to-response"></a></h4>
<ol>
<lidata-md="">
- <p>Let <var>result</var> be the result of <ahref="#apply-algorithm-to-response">§3.3.1 Apply algorithm to response</a> to the <adata-link-type="dfn"href="#representation-data"id="ref-for-representation-data-1">representation data</a> without any content-codings
+ <p>Let <var>result</var> be the result of <ahref="#apply-algorithm-to-response">§3.4.1 Apply algorithm to response</a> to the <adata-link-type="dfn"href="#representation-data"id="ref-for-representation-data-1">representation data</a> without any content-codings
applied, except when the user agent intends to consume the content with
content-encodings applied. In the latter case, let <var>result</var> be
the result of applying <var>algorithm</var> to the <adata-link-type="dfn"href="#representation-data"id="ref-for-representation-data-2">representation data</a>.</p>
<p>Return <code>no metadata</code> if <var>empty</var> is <code>true</code>, otherwise return <var>result</var>.</p>
</ol>
- <h4class="heading settled"data-level="3.3.4"id="get-the-strongest-metadata"><spanclass="secno">3.3.4. </span><spanclass="content">Get the strongest metadata from <var>set</var></span><aclass="self-link"href="#get-the-strongest-metadata"></a></h4>
+ <h4class="heading settled"data-level="3.4.4"id="get-the-strongest-metadata"><spanclass="secno">3.4.4. </span><spanclass="content">Get the strongest metadata from <var>set</var></span><aclass="self-link"href="#get-the-strongest-metadata"></a></h4>
<ol>
<lidata-md="">
<p>Let <var>result</var> be the empty set and <var>strongest</var> be the empty
validation since Subresource Integrity requires CORS, and it is a logical error
to attempt to use it without CORS. Additionally, user agents SHOULD report a
warning message to the developer console to explain this failure.</p>
- <h3class="heading settled"data-level="3.4"id="verification-of-html-document-subresources"><spanclass="secno">3.4. </span><spanclass="content">Verification of HTML document subresources</span><aclass="self-link"href="#verification-of-html-document-subresources"></a></h3>
+ <h3class="heading settled"data-level="3.5"id="verification-of-html-document-subresources"><spanclass="secno">3.5. </span><spanclass="content">Verification of HTML document subresources</span><aclass="self-link"href="#verification-of-html-document-subresources"></a></h3>
<p>A variety of HTML elements result in requests for resources that are to be
embedded into the document, or executed in its context. To support integrity
metadata for some of these elements, a new <code>integrity</code> attribute is added to
value each element’s <code>integrity</code> content attribute is added to the <code>HTMLLinkElement</code> and <code>HTMLScriptElement</code> interfaces.</p>
<pclass="note"role="note">Note: A future revision of this specification is likely to include integrity support
for all possible subresources, i.e., <code>a</code>, <code>audio</code>, <code>embed</code>, <code>iframe</code>, <code>img</code>, <code>link</code>, <code>object</code>, <code>script</code>, <code>source</code>, <code>track</code>, and <code>video</code> elements.</p>
<p>The <code>integrity</code> attribute represents <adata-link-type="dfn"href="#integrity-metadata"id="ref-for-integrity-metadata-7">integrity metadata</a> for an element.
The value of the attribute MUST be either the empty string, or at least one
valid metadata as described by the following ABNF grammar:</p>
<p>The user agent will refuse to render or execute responses that fail an integrity
check, instead returning a network error as defined in Fetch <adata-link-type="biblio"href="#biblio-fetch">[FETCH]</a>.</p>
<pclass="note"role="note">Note: On a failed integrity check, an <code>error</code> event is fired. Developers
wishing to provide a canonical fallback resource (e.g., a resource not served
from a CDN, perhaps from a secondary, trusted, but slower source) can catch this <code>error</code> event and provide an appropriate handler to replace the
- <h4class="heading settled"data-level="3.8.1"id="link-element-for-stylesheets"><spanclass="secno">3.8.1. </span><spanclass="content">The <code>link</code> element for stylesheets</span><aclass="self-link"href="#link-element-for-stylesheets"></a></h4>
+ <h4class="heading settled"data-level="3.9.1"id="link-element-for-stylesheets"><spanclass="secno">3.9.1. </span><spanclass="content">The <code>link</code> element for stylesheets</span><aclass="self-link"href="#link-element-for-stylesheets"></a></h4>
<p>Whenever a user agent attempts to <adata-link-type="dfn"href="http://www.w3.org/TR/html5/document-metadata.html#concept-link-obtain">obtain a resource</a> pointed to by a <code>link</code> element that has a <code>rel</code> attribute with the keyword of <code>stylesheet</code>,
modify step 4 to read:</p>
<p>Do a potentially CORS-enabled fetch of the resulting absolute URL, with the
mode being the current state of the element’s crossorigin content attribute,
the origin being the origin of the link element’s Document, the default origin
behavior set to taint, and the <adata-link-type="dfn"href="#integrity-metadata"id="ref-for-integrity-metadata-8">integrity metadata</a> of the request set to
the value of the element’s <code>integrity</code> attribute.</p>
<p>Replace step 14.1 of HTML5’s <adata-link-type="dfn"href="http://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a> algorithm with:</p>
<h3class="no-num no-ref heading settled"id="index-defined-here"><spanclass="content">Terms defined by this specification</span><aclass="self-link"href="#index-defined-here"></a></h3>
<ulclass="index">
<li><ahref="#base64-encoding">base64 encoding</a><span>, in §2</span>
- <li><ahref="#grammardef-base64-value">base64-value</a><span>, in §3.5</span>
+ <li><ahref="#grammardef-base64-value">base64-value</a><span>, in §3.6</span>
<li><ahref="#content-encoding">content encoding</a><span>, in §2</span>
<li><ahref="#cross-origin">cross-origin</a><span>, in §2</span>
<li><ahref="#digest">digest</a><span>, in §2</span>
<li><ahref="#getprioritizedhashfunction">getPrioritizedHashFunction</a><span>, in §3.2.2</span>
- <li><ahref="#grammardef-hash-algo">hash-algo</a><span>, in §3.5</span>
- <li><ahref="#grammardef-hash-expression">hash-expression</a><span>, in §3.5</span>
- <li><ahref="#grammardef-hash-with-options">hash-with-options</a><span>, in §3.5</span>
+ <li><ahref="#grammardef-hash-algo">hash-algo</a><span>, in §3.6</span>
+ <li><ahref="#grammardef-hash-expression">hash-expression</a><span>, in §3.6</span>
+ <li><ahref="#grammardef-hash-with-options">hash-with-options</a><span>, in §3.6</span>
<li>
integrity
<ul>
- <li><ahref="#dom-htmllinkelement-integrity">attribute for HTMLLinkElement</a><span>, in §3.6.1</span>
- <li><ahref="#dom-htmlscriptelement-integrity">attribute for HTMLScriptElement</a><span>, in §3.6.2</span>
+ <li><ahref="#dom-htmllinkelement-integrity">attribute for HTMLLinkElement</a><span>, in §3.7.1</span>
+ <li><ahref="#dom-htmlscriptelement-integrity">attribute for HTMLScriptElement</a><span>, in §3.7.2</span>
</ul>
- <li><ahref="#grammardef-integrity-metadata">integrity-metadata</a><span>, in §3.5</span>
+ <li><ahref="#grammardef-integrity-metadata">integrity-metadata</a><span>, in §3.6</span>
<li><ahref="#integrity-metadata">integrity
metadata</a><span>, in §3.1</span>
- <li><ahref="#grammardef-option-expression">option-expression</a><span>, in §3.5</span>
+ <li><ahref="#grammardef-option-expression">option-expression</a><span>, in §3.6</span>
<li><ahref="#origin">origin</a><span>, in §2</span>
<li><ahref="#representation-data">representation data</a><span>, in §2</span>
+ <li><ahref="#require-sri-for">require-sri-for</a><span>, in §3.3.1</span>
<li><ahref="#same-origin">same-origin</a><span>, in §2</span>
</ul>
<h3class="no-num no-ref heading settled"id="index-defined-elsewhere"><spanclass="content">Terms defined by reference</span><aclass="self-link"href="#index-defined-elsewhere"></a></h3>
<dd>D. Crocker, Ed.; P. Overell. <ahref="https://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>. January 2008. Internet Standard. URL: <ahref="https://tools.ietf.org/html/rfc5234">https://tools.ietf.org/html/rfc5234</a>
<dtid="biblio-cors">[CORS]
<dd>Anne van Kesteren. <ahref="http://www.w3.org/TR/cors/">Cross-Origin Resource Sharing</a>. 16 January 2014. REC. URL: <ahref="http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>
+ <dtid="biblio-csp1">[CSP1]
+ <dd>Brandon Sterne; Adam Barth. <ahref="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html">Content Security Policy 1.0</a>. 19 February 2015. NOTE. URL: <ahref="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html">http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html</a>
<dtid="biblio-fetch">[FETCH]
<dd>Anne van Kesteren. <ahref="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <ahref="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
<dtid="biblio-html">[HTML]
<dd>Ian Hickson. <ahref="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <ahref="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
<dtid="biblio-html5">[HTML5]
- <dd>Ian Hickson; et al. <ahref="http://www.w3.org/TR/html5/">HTML5</a>. 28 October 2014. REC. URL: <ahref="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
+ <dd>Ian Hickson; et al. <ahref="http://www.w3.org/html/wg/drafts/html/master/">HTML5</a>. 28 October 2014. REC. URL: <ahref="http://www.w3.org/html/wg/drafts/html/master/">http://www.w3.org/html/wg/drafts/html/master/</a>
<dtid="biblio-mime-types">[MIME-TYPES]
<dd>N. Freed; N. Borenstein. <ahref="https://tools.ietf.org/html/rfc2046">Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types</a>. November 1996. Draft Standard. URL: <ahref="https://tools.ietf.org/html/rfc2046">https://tools.ietf.org/html/rfc2046</a>
<dd>S. Bradner. <ahref="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <ahref="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
<dtid="biblio-rfc4648">[RFC4648]
<dd>S. Josefsson. <ahref="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>. October 2006. Proposed Standard. URL: <ahref="https://tools.ietf.org/html/rfc4648">https://tools.ietf.org/html/rfc4648</a>
+ <dtid="biblio-rfc7230">[RFC7230]
+ <dd>R. Fielding, Ed.; J. Reschke, Ed.. <ahref="https://tools.ietf.org/html/rfc7230">Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</a>. June 2014. Proposed Standard. URL: <ahref="https://tools.ietf.org/html/rfc7230">https://tools.ietf.org/html/rfc7230</a>
<dtid="biblio-rfc7231">[RFC7231]
<dd>R. Fielding, Ed.; J. Reschke, Ed.. <ahref="https://tools.ietf.org/html/rfc7231">Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</a>. June 2014. Proposed Standard. URL: <ahref="https://tools.ietf.org/html/rfc7231">https://tools.ietf.org/html/rfc7231</a>
0 comments on commit
5c05e06