/webappsec-subresource-integrity

Permalink
Browse files

Regenerate generated files

  • Loading branch information...
1 parent 87f59f9 commit a333571bc0f2200baf265093b22f14e4a7533294 @fmarier fmarier committed Jun 15, 2016
Unified Split
Showing with 88 additions and 41 deletions.
  1. +84 −37 index.bikeshed.html
  2. +4 −4 index.html
View
121 index.bikeshed.html
@@ -1150,6 +1150,8 @@
}
</style>
<meta content="Bikeshed 1.0.0" name="generator">
+ <meta>
+ element:
<style>/* style-md-lists */
/* This is a weird hack for me not yet following the commonmark spec
@@ -1338,7 +1340,7 @@
<div class="head">
<p data-fill-with="logo"><a class="logo" href="http://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
<h1 class="p-name no-ref" id="title">Subresource Integrity</h1>
- <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2016-05-18">18 May 2016</time></span></h2>
+ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2016-06-15">15 June 2016</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
@@ -1356,7 +1358,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="cont
<dt class="editor">Editors:
<dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="http://devd.me">Devdatta Akhawe</a> (<span class="p-org org">Dropbox Inc.</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
<dd class="editor p-author h-card vcard" data-editor-id="68466"><a class="p-name fn u-url url" href="https://frederik-braun.com">Frederik Braun</a> (<span class="p-org org">Mozilla</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
- <dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="https://fmarier.org">Francois Marier</a> (<span class="p-org org">Mozilla</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
+ <dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="https://fmarier.org">François Marier</a> (<span class="p-org org">Mozilla</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
<dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="https://joelweinberger.us">Joel Weinberger</a> (<span class="p-org org">Google Inc.</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
<dt>Implementation status:
<dd><span><a href="https://code.google.com/p/chromium/issues/detail?id=355467">Blink/Chromium</a><br><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Gecko</a></span>
@@ -1690,41 +1692,56 @@ <h4 class="heading settled" data-level="3.2.2" id="priority"><span class="secno"
<h3 class="heading settled" data-level="3.3" id="request-verification-algorithms"><span class="secno">3.3. </span><span class="content">Request verification algorithms</span><a class="self-link" href="#request-verification-algorithms"></a></h3>
<h4 class="heading settled" data-level="3.3.1" id="opt-in-require-sri-for"><span class="secno">3.3.1. </span><span class="content">Opting-in</span><a class="self-link" href="#opt-in-require-sri-for"></a></h4>
<p>Authors may opt a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> to require SRI metadata be present for
-some resource types via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="require-sri-for" id="require-sri-for">require-sri-for<span class="dfn-panel" data-deco=""><b><a href="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b><span><a href="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a></span><span><a href="#ref-for-require-sri-for-2">3.3.3. Apply algorithm to request</a></span></span></dfn> <a data-link-type="dfn" href="https://www.w3.org/TR/CSP/#content-security-policy">Content
+some resource types via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="require-sri-for">require-sri-for</dfn> <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#content-security-policy">Content
Security Policy</a> directive defined by the following ABNF grammar:</p>
<pre>directive-name = "require-sri-for"
directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> )
</pre>
- <p>The directive recognizes a number of potential token values:</p>
+ <p>The following list contains the set of <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="known-tokens">known tokens</dfn>:</p>
<ul>
<li data-md="">
<p><code>script</code> requires SRI for scripts</p>
<li data-md="">
<p><code>style</code> requires SRI for style sheets</p>
</ul>
<h4 class="heading settled" data-level="3.3.2" id="parse-require-sri-for"><span class="secno">3.3.2. </span><span class="content">Parsing <code>require-sri-for</code></span><a class="self-link" href="#parse-require-sri-for"></a></h4>
- <p>To parse the <var>token</var> list, the user agent MUST use an algorithm equivalent to the following:</p>
+ <p>Given a string (<var>token list</var>), this algorithm returns a list of resource
+types which will require integrity checks:</p>
<ol>
<li data-md="">
<p>Let the set of <var>protected resource types</var> that require SRI be the empty set.</p>
<li data-md="">
- <p>For each token returned by <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#split-a-string-on-spaces">splitting tokens on spaces</a>,
-if token matches the grammar for <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-1">require-sri-for</a>,
-add the token to the set of <var>protected resource types</var>. Otherwise, ignore the token.</p>
+ <p>For each <var>token</var> in the result of <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces"> splitting <var>token list</var> on spaces</a>, if token matches the grammar
+ for <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-1">require-sri-for</a>, add <var>token</var> to <var>protected resource types</var> if <var>token</var> is a <a data-link-type="dfn" href="#known-tokens" id="ref-for-known-tokens-1">known token</a>. Otherwise, ignore the token.</p>
<li data-md="">
<p>Return the set of <var>protected resource types</var>.</p>
</ol>
<h4 class="heading settled" data-level="3.3.3" id="apply-algorithm-to-request"><span class="secno">3.3.3. </span><span class="content">Apply <var>algorithm</var> to <var>request</var></span><a class="self-link" href="#apply-algorithm-to-request"></a></h4>
+ <p>This directive’s <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directive-pre-request-check">pre-request check</a> is as follows:</p>
+ <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#policy">policy</a> (<var>policy</var>):</p>
<ol>
<li data-md="">
- <p>Let <var>protected resource types</var> be the result of applying <a href="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a> to the value of the <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-2">require-sri-for</a> directive.</p>
+ <p>Let <var>protected resource types</var> be the result of executing <a href="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a> on this <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directives">directive</a>’s <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directive-value">value</a>.</p>
<li data-md="">
- <p>If <var>request</var>’s type is a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ASCII case-insensitive match</a> for at least
-one token in <var>protected resource types</var>, and <var>request</var>’s integrity metadata
-is the empty string, return "Blocked":</p>
+ <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org#concept-request-destination">destination</a> is a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ASCII case-insensitive match</a> for at least
+ one token in <var>protected resource types</var>, and <var>request</var>’s integrity metadata
+ is the empty string, return "Blocked".</p>
+ <p class="note" role="note">Note: This logic means that request with matched <a data-link-type="dfn" href="https://fetch.spec.whatwg.org#concept-request-destination">destination</a> and missing <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-6">integrity metadata</a> will be blocked even if it is not currently possible to set it’s <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-7">integrity metadata</a>.
+ Such requests are originated by, for example, <code>importScripts()</code>, CSS' <code>@import</code>,
+ or <code>script</code>/<code>style</code> elements without crossorigin content attribute.</p>
<li data-md="">
<p>Return "Allowed".</p>
</ol>
+ <div class="example" id="example-d62efad6">
+ <a class="self-link" href="#example-d62efad6"></a> A page with the following Content Security Policy:
+<pre>Content-Security-Policy: <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-2">require-sri-for</a> script style
+</pre>
+ <p>is equivalent to Content Security Policy delivered through </p>
+<pre>&lt;meta http-equiv="Content-Security-Policy"
+ content="<a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-3">require-sri-for</a> script style">
+</pre>
+ <p>and requires <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-8">integrity metadata</a> be present in <code>script</code> and <code>link</code> HTML elements that contain <code>src</code> attribute.</p>
+ </div>
<h3 class="heading settled" data-level="3.4" id="response-verification-algorithms"><span class="secno">3.4. </span><span class="content">Response verification algorithms</span><a class="self-link" href="#response-verification-algorithms"></a></h3>
<h4 class="heading settled" data-level="3.4.1" id="apply-algorithm-to-response"><span class="secno">3.4.1. </span><span class="content">Apply <var>algorithm</var> to <var>response</var></span><a class="self-link" href="#apply-algorithm-to-response"></a></h4>
<ol>
@@ -1781,7 +1798,7 @@ <h4 class="heading settled" data-level="3.4.2" id="is-response-eligible"><span c
response to the request, so its body, too, is fully readable by the requestor.</p>
</ul>
</div>
- <h4 class="heading settled" data-level="3.3.3" id="parse-metadata"><span class="secno">3.3.3. </span><span class="content">Parse <var>metadata</var></span><a class="self-link" href="#parse-metadata"></a></h4>
+ <h4 class="heading settled" data-level="3.4.3" id="parse-metadata"><span class="secno">3.4.3. </span><span class="content">Parse <var>metadata</var></span><a class="self-link" href="#parse-metadata"></a></h4>
<p>This algorithm accepts a string, and returns either <code>no metadata</code>, or a set of
valid hash expressions whose hash functions are understood by
the user agent.</p>
@@ -1800,7 +1817,7 @@ <h4 class="heading settled" data-level="3.3.3" id="parse-metadata"><span class="
<p>If <var>token</var> is not a valid metadata, skip the remaining
steps, and proceed to the next token.</p>
<li data-md="">
- <p>Parse <var>token</var> per the grammar in <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-6">integrity metadata</a>.</p>
+ <p>Parse <var>token</var> per the grammar in <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-9">integrity metadata</a>.</p>
<li data-md="">
<p>Let <var>algorithm</var> be the <var>alg</var> component of <var>token</var>.</p>
<li data-md="">
@@ -1893,7 +1910,7 @@ <h3 class="heading settled" data-level="3.5" id="verification-of-html-document-s
<p class="note" role="note">Note: A future revision of this specification is likely to include integrity support
for all possible subresources, i.e., <code>a</code>, <code>audio</code>, <code>embed</code>, <code>iframe</code>, <code>img</code>, <code>link</code>, <code>object</code>, <code>script</code>, <code>source</code>, <code>track</code>, and <code>video</code> elements.</p>
<h3 class="heading settled" data-level="3.6" id="the-integrity-attribute"><span class="secno">3.6. </span><span class="content">The <code>integrity</code> attribute</span><a class="self-link" href="#the-integrity-attribute"></a></h3>
- <p>The <code>integrity</code> attribute represents <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-7">integrity metadata</a> for an element.
+ <p>The <code>integrity</code> attribute represents <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-10">integrity metadata</a> for an element.
The value of the attribute MUST be either the empty string, or at least one
valid metadata as described by the following ABNF grammar:</p>
<pre><dfn data-dfn-type="grammar" data-export="" id="grammardef-integrity-metadata">integrity-metadata<a class="self-link" href="#grammardef-integrity-metadata"></a></dfn> = *<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a> <a data-link-type="grammar" href="#grammardef-hash-with-options" id="ref-for-grammardef-hash-with-options-1">hash-with-options</a> *(1*<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a> <a data-link-type="grammar" href="#grammardef-hash-with-options" id="ref-for-grammardef-hash-with-options-2">hash-with-options</a> ) *<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a> / *<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a>
@@ -1943,21 +1960,21 @@ <h4 class="heading settled" data-level="3.9.1" id="link-element-for-stylesheets"
<p>Do a potentially CORS-enabled fetch of the resulting absolute URL, with the
mode being the current state of the element’s crossorigin content attribute,
the origin being the origin of the link element’s Document, the default origin
-behavior set to taint, and the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-8">integrity metadata</a> of the request set to
+behavior set to taint, and the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-11">integrity metadata</a> of the request set to
the value of the element’s <code>integrity</code> attribute.</p>
<h4 class="heading settled" data-level="3.9.2" id="script-element"><span class="secno">3.9.2. </span><span class="content">The <code>script</code> element</span><a class="self-link" href="#script-element"></a></h4>
<p>Replace step 14.1 of HTML5’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a> algorithm with:</p>
<ol>
<li data-md="">
<p>Let <var>src</var> be the value of the element’s <code>src</code> attribute and
- the request’s associated <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-9">integrity metadata</a> be the value of the
+ the request’s associated <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-12">integrity metadata</a> be the value of the
element’s <code>integrity</code> attribute.</p>
</ol>
<h2 class="heading settled" data-level="4" id="proxies"><span class="secno">4. </span><span class="content">Proxies</span><a class="self-link" href="#proxies"></a></h2>
<p>Optimizing proxies and other intermediate servers which modify the
responses MUST ensure that the digest associated
with those responses stays in sync with the new content. One option
-is to ensure that the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-10">integrity metadata</a> associated with
+is to ensure that the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-13">integrity metadata</a> associated with
resources is updated. Another
would be simply to deliver only the canonical version of resources
for which a page author has requested integrity verification.</p>
@@ -1967,7 +1984,7 @@ <h2 class="heading settled" data-level="4" id="proxies"><span class="secno">4. <
<h2 class="heading settled" data-level="5" id="security-considerations"><span class="secno">5. </span><span class="content">Security Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
<p><em> This section is not normative.</em></p>
<h3 class="heading settled" data-level="5.1" id="non-secure-contexts"><span class="secno">5.1. </span><span class="content">Non-secure contexts remain non-secure</span><a class="self-link" href="#non-secure-contexts"></a></h3>
- <p><a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-11">Integrity metadata</a> delivered by a context that is not a <a data-link-type="dfn" href="&quot;http://www.w3.org/TR/powerful-features/&quot;#secure-context">Secure
+ <p><a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-14">Integrity metadata</a> delivered by a context that is not a <a data-link-type="dfn" href="&quot;http://www.w3.org/TR/powerful-features/&quot;#secure-context">Secure
Context</a> such as an HTTP page, only protects an origin against a compromise
of the server where an external resources is hosted. Network attackers can alter
the digest in-flight (or remove it entirely, or do absolutely anything else to
@@ -2065,6 +2082,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
<li><a href="#grammardef-integrity-metadata">integrity-metadata</a><span>, in §3.6</span>
<li><a href="#integrity-metadata">integrity
metadata</a><span>, in §3.1</span>
+ <li><a href="#known-tokens">known tokens</a><span>, in §3.3.1</span>
<li><a href="#grammardef-option-expression">option-expression</a><span>, in §3.6</span>
<li><a href="#origin">origin</a><span>, in §2</span>
<li><a href="#representation-data">representation data</a><span>, in §2</span>
@@ -2080,8 +2098,18 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
<li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">wsp</a>
</ul>
<li>
+ <a data-link-type="biblio">[CSP1]</a> defines the following terms:
+ <ul>
+ <li><a href="https://w3c.github.io/webappsec-csp/#content-security-policy">content security policy</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#directives">directive</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#policy">policy</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#directive-pre-request-check">pre-request check</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#directive-value">value</a>
+ </ul>
+ <li>
<a data-link-type="biblio">[FETCH]</a> defines the following terms:
<ul>
+ <li><a href="https://fetch.spec.whatwg.org#concept-request-destination">destination</a>
<li><a href="https://fetch.spec.whatwg.org#concept-fetch">fetch</a>
<li><a href="https://fetch.spec.whatwg.org#concept-request">request</a>
<li><a href="https://fetch.spec.whatwg.org#concept-response-type">response type</a>
@@ -2095,8 +2123,13 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
<li><a href="http://www.w3.org/TR/html5/document-metadata.html#concept-link-obtain">obtain a resource</a>
<li><a href="http://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a>
<li><a href="http://www.w3.org/TR/html5/infrastructure.html#reflect">reflect</a>
- <li><a href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">split on spaces</a>
- <li><a href="http://www.w3.org/TR/html5/scripting-1.html#split-a-string-on-spaces">splitting tokens on spaces</a>
+ <li><a href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">split a string on spaces</a>
+ </ul>
+ <li>
+ <a data-link-type="biblio">[rfc7230]</a> defines the following terms:
+ <ul>
+ <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.3">rws</a>
+ <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a>
</ul>
<li>
<a data-link-type="biblio">[rfc7234]</a> defines the following terms:
@@ -2188,26 +2221,26 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
<aside class="dfn-panel" data-for="cross-origin">
<b><a href="#cross-origin">#cross-origin</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-cross-origin-1">3.3.2. Is response eligible for integrity validation?</a>
+ <li><a href="#ref-for-cross-origin-1">3.4.2. Is response eligible for integrity validation?</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="same-origin">
<b><a href="#same-origin">#same-origin</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-same-origin-1">3.3.2. Is response eligible for integrity validation?</a>
+ <li><a href="#ref-for-same-origin-1">3.4.2. Is response eligible for integrity validation?</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="representation-data">
<b><a href="#representation-data">#representation-data</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-representation-data-1">3.3.1. Apply algorithm to response</a> <a href="#ref-for-representation-data-2">(2)</a>
+ <li><a href="#ref-for-representation-data-1">3.4.1. Apply algorithm to response</a> <a href="#ref-for-representation-data-2">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="base64-encoding">
<b><a href="#base64-encoding">#base64-encoding</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-base64-encoding-1">3.1. Integrity metadata</a>
- <li><a href="#ref-for-base64-encoding-2">3.3.1. Apply algorithm to response</a>
+ <li><a href="#ref-for-base64-encoding-2">3.4.1. Apply algorithm to response</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="integrity-metadata">
@@ -2216,49 +2249,63 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
<li><a href="#ref-for-integrity-metadata-1">1.2.1. Resource Integrity</a> <a href="#ref-for-integrity-metadata-2">(2)</a> <a href="#ref-for-integrity-metadata-3">(3)</a>
<li><a href="#ref-for-integrity-metadata-4">3.2. Cryptographic hash functions</a>
<li><a href="#ref-for-integrity-metadata-5">3.2.1. Agility</a>
- <li><a href="#ref-for-integrity-metadata-6">3.3.3. Parse metadata</a>
- <li><a href="#ref-for-integrity-metadata-7">3.5. The integrity attribute</a>
- <li><a href="#ref-for-integrity-metadata-8">3.8.1. The link element for stylesheets</a>
- <li><a href="#ref-for-integrity-metadata-9">3.8.2. The script element</a>
- <li><a href="#ref-for-integrity-metadata-10">4. Proxies</a>
- <li><a href="#ref-for-integrity-metadata-11">5.1. Non-secure contexts remain non-secure</a>
+ <li><a href="#ref-for-integrity-metadata-6">3.3.3. Apply algorithm to request</a> <a href="#ref-for-integrity-metadata-7">(2)</a> <a href="#ref-for-integrity-metadata-8">(3)</a>
+ <li><a href="#ref-for-integrity-metadata-9">3.4.3. Parse metadata</a>
+ <li><a href="#ref-for-integrity-metadata-10">3.6. The integrity attribute</a>
+ <li><a href="#ref-for-integrity-metadata-11">3.9.1. The link element for stylesheets</a>
+ <li><a href="#ref-for-integrity-metadata-12">3.9.2. The script element</a>
+ <li><a href="#ref-for-integrity-metadata-13">4. Proxies</a>
+ <li><a href="#ref-for-integrity-metadata-14">5.1. Non-secure contexts remain non-secure</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="getprioritizedhashfunction">
<b><a href="#getprioritizedhashfunction">#getprioritizedhashfunction</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-getprioritizedhashfunction-1">3.2.2. Priority</a>
- <li><a href="#ref-for-getprioritizedhashfunction-2">3.3.4. Get the strongest metadata from set</a>
+ <li><a href="#ref-for-getprioritizedhashfunction-2">3.4.4. Get the strongest metadata from set</a>
+ </ul>
+ </aside>
+ <aside class="dfn-panel" data-for="require-sri-for">
+ <b><a href="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b>
+ <ul>
+ <li><a href="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a>
+ <li><a href="#ref-for-require-sri-for-2">3.3.3. Apply algorithm to request</a> <a href="#ref-for-require-sri-for-3">(2)</a>
+ </ul>
+ </aside>
+ <aside class="dfn-panel" data-for="known-tokens">
+ <b><a href="#known-tokens">#known-tokens</a></b><b>Referenced in:</b>
+ <ul>
+ <li><a href="#ref-for-known-tokens-1">3.3.2. Parsing require-sri-for</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-hash-with-options">
<b><a href="#grammardef-hash-with-options">#grammardef-hash-with-options</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-hash-with-options-1">3.5. The integrity attribute</a> <a href="#ref-for-grammardef-hash-with-options-2">(2)</a>
+ <li><a href="#ref-for-grammardef-hash-with-options-1">3.6. The integrity attribute</a> <a href="#ref-for-grammardef-hash-with-options-2">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-option-expression">
<b><a href="#grammardef-option-expression">#grammardef-option-expression</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-option-expression-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-option-expression-1">3.6. The integrity attribute</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-hash-algo">
<b><a href="#grammardef-hash-algo">#grammardef-hash-algo</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-hash-algo-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-hash-algo-1">3.6. The integrity attribute</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-base64-value">
<b><a href="#grammardef-base64-value">#grammardef-base64-value</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-base64-value-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-base64-value-1">3.6. The integrity attribute</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-hash-expression">
<b><a href="#grammardef-hash-expression">#grammardef-hash-expression</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-hash-expression-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-hash-expression-1">3.6. The integrity attribute</a>
</ul>
</aside>
<script>/* script-dfn-panel */
View
8 index.html
@@ -8,7 +8,7 @@
var respecConfig = {
// specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
// Member-SUBM
- specStatus: "PR",
+ specStatus: "REC",
// the specification's short name, as in http://www.w3.org/TR/short-name/
shortName: "SRI",
@@ -21,8 +21,8 @@
edDraftURI: "https://w3c.github.io/webappsec-subresource-integrity/",
crEnd: "2015-12-15",
- previousMaturity: "WD",
- previousPublishDate: "2015-10-06",
+ previousMaturity: "PR",
+ previousPublishDate: "2016-05-10",
implementationReportURI: "https://github.com/w3c/webappsec-subresource-integrity/wiki/Links",
@@ -31,7 +31,7 @@
editors: [
{ name: "Devdatta Akhawe", url: "http://devd.me", mailto: "[email protected]", company: "Dropbox, Inc.", companyURL: "https://www.dropbox.com/"},
{ name: "Frederik Braun", url: "https://frederik-braun.com/", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/", w3cid: 68466 },
- { name: "Francois Marier", url: "https://fmarier.org", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/" },
+ { name: "François Marier", url: "https://fmarier.org", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/" },
{ name: "Joel Weinberger", url: "https://joelweinberger.us/", mailto: "[email protected]", company: "Google, Inc.", companyURL: "https://google.com/" },
],

0 comments on commit a333571

Please sign in to comment.