/webappsec-subresource-integrity

Permalink
Browse files

Merge pull request #42 from fmarier/publish_v1_rec 

Update spec status and fix spelling of my name
  • Loading branch information...
2 parents d776be7 + a333571 commit cc16d00494e61c3f84bd4b79768bdc6a9667a40c @fmarier fmarier committed on GitHub Jun 15, 2016
Unified Split
Showing with 93 additions and 46 deletions.
  1. +1 −1 index.bikeshed.bs
  2. +84 −37 index.bikeshed.html
  3. +4 −4 index.html
  4. +4 −4 template.erb
View
2 index.bikeshed.bs
@@ -9,7 +9,7 @@ Shortname: SRI
Level: 1
Editor: Devdatta Akhawe, Dropbox Inc., http://devd.me, [email protected]
Editor: Frederik Braun 68466, Mozilla, https://frederik-braun.com, [email protected]
-Editor: Francois Marier, Mozilla, https://fmarier.org, [email protected]
+Editor: François Marier, Mozilla, https://fmarier.org, [email protected]
Editor: Joel Weinberger, Google Inc., https://joelweinberger.us, [email protected]
Abstract:
This specification defines a mechanism by which user agents may verify that a
View
121 index.bikeshed.html
@@ -1150,6 +1150,8 @@
}
</style>
<meta content="Bikeshed 1.0.0" name="generator">
+ <meta>
+ element:
<style>/* style-md-lists */
/* This is a weird hack for me not yet following the commonmark spec
@@ -1338,7 +1340,7 @@
<div class="head">
<p data-fill-with="logo"><a class="logo" href="http://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
<h1 class="p-name no-ref" id="title">Subresource Integrity</h1>
- <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2016-05-18">18 May 2016</time></span></h2>
+ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2016-06-15">15 June 2016</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
@@ -1356,7 +1358,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="cont
<dt class="editor">Editors:
<dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="http://devd.me">Devdatta Akhawe</a> (<span class="p-org org">Dropbox Inc.</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
<dd class="editor p-author h-card vcard" data-editor-id="68466"><a class="p-name fn u-url url" href="https://frederik-braun.com">Frederik Braun</a> (<span class="p-org org">Mozilla</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
- <dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="https://fmarier.org">Francois Marier</a> (<span class="p-org org">Mozilla</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
+ <dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="https://fmarier.org">François Marier</a> (<span class="p-org org">Mozilla</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
<dd class="editor p-author h-card vcard"><a class="p-name fn u-url url" href="https://joelweinberger.us">Joel Weinberger</a> (<span class="p-org org">Google Inc.</span>) <a class="u-email email" href="mailto:[email protected]">[email protected]</a>
<dt>Implementation status:
<dd><span><a href="https://code.google.com/p/chromium/issues/detail?id=355467">Blink/Chromium</a><br><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Gecko</a></span>
@@ -1690,41 +1692,56 @@ <h4 class="heading settled" data-level="3.2.2" id="priority"><span class="secno"
<h3 class="heading settled" data-level="3.3" id="request-verification-algorithms"><span class="secno">3.3. </span><span class="content">Request verification algorithms</span><a class="self-link" href="#request-verification-algorithms"></a></h3>
<h4 class="heading settled" data-level="3.3.1" id="opt-in-require-sri-for"><span class="secno">3.3.1. </span><span class="content">Opting-in</span><a class="self-link" href="#opt-in-require-sri-for"></a></h4>
<p>Authors may opt a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> to require SRI metadata be present for
-some resource types via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="require-sri-for" id="require-sri-for">require-sri-for<span class="dfn-panel" data-deco=""><b><a href="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b><span><a href="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a></span><span><a href="#ref-for-require-sri-for-2">3.3.3. Apply algorithm to request</a></span></span></dfn> <a data-link-type="dfn" href="https://www.w3.org/TR/CSP/#content-security-policy">Content
+some resource types via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="require-sri-for">require-sri-for</dfn> <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#content-security-policy">Content
Security Policy</a> directive defined by the following ABNF grammar:</p>
<pre>directive-name = "require-sri-for"
directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> )
</pre>
- <p>The directive recognizes a number of potential token values:</p>
+ <p>The following list contains the set of <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="known-tokens">known tokens</dfn>:</p>
<ul>
<li data-md="">
<p><code>script</code> requires SRI for scripts</p>
<li data-md="">
<p><code>style</code> requires SRI for style sheets</p>
</ul>
<h4 class="heading settled" data-level="3.3.2" id="parse-require-sri-for"><span class="secno">3.3.2. </span><span class="content">Parsing <code>require-sri-for</code></span><a class="self-link" href="#parse-require-sri-for"></a></h4>
- <p>To parse the <var>token</var> list, the user agent MUST use an algorithm equivalent to the following:</p>
+ <p>Given a string (<var>token list</var>), this algorithm returns a list of resource
+types which will require integrity checks:</p>
<ol>
<li data-md="">
<p>Let the set of <var>protected resource types</var> that require SRI be the empty set.</p>
<li data-md="">
- <p>For each token returned by <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#split-a-string-on-spaces">splitting tokens on spaces</a>,
-if token matches the grammar for <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-1">require-sri-for</a>,
-add the token to the set of <var>protected resource types</var>. Otherwise, ignore the token.</p>
+ <p>For each <var>token</var> in the result of <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces"> splitting <var>token list</var> on spaces</a>, if token matches the grammar
+ for <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-1">require-sri-for</a>, add <var>token</var> to <var>protected resource types</var> if <var>token</var> is a <a data-link-type="dfn" href="#known-tokens" id="ref-for-known-tokens-1">known token</a>. Otherwise, ignore the token.</p>
<li data-md="">
<p>Return the set of <var>protected resource types</var>.</p>
</ol>
<h4 class="heading settled" data-level="3.3.3" id="apply-algorithm-to-request"><span class="secno">3.3.3. </span><span class="content">Apply <var>algorithm</var> to <var>request</var></span><a class="self-link" href="#apply-algorithm-to-request"></a></h4>
+ <p>This directive’s <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directive-pre-request-check">pre-request check</a> is as follows:</p>
+ <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#policy">policy</a> (<var>policy</var>):</p>
<ol>
<li data-md="">
- <p>Let <var>protected resource types</var> be the result of applying <a href="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a> to the value of the <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-2">require-sri-for</a> directive.</p>
+ <p>Let <var>protected resource types</var> be the result of executing <a href="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a> on this <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directives">directive</a>’s <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directive-value">value</a>.</p>
<li data-md="">
- <p>If <var>request</var>’s type is a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ASCII case-insensitive match</a> for at least
-one token in <var>protected resource types</var>, and <var>request</var>’s integrity metadata
-is the empty string, return "Blocked":</p>
+ <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org#concept-request-destination">destination</a> is a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ASCII case-insensitive match</a> for at least
+ one token in <var>protected resource types</var>, and <var>request</var>’s integrity metadata
+ is the empty string, return "Blocked".</p>
+ <p class="note" role="note">Note: This logic means that request with matched <a data-link-type="dfn" href="https://fetch.spec.whatwg.org#concept-request-destination">destination</a> and missing <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-6">integrity metadata</a> will be blocked even if it is not currently possible to set it’s <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-7">integrity metadata</a>.
+ Such requests are originated by, for example, <code>importScripts()</code>, CSS' <code>@import</code>,
+ or <code>script</code>/<code>style</code> elements without crossorigin content attribute.</p>
<li data-md="">
<p>Return "Allowed".</p>
</ol>
+ <div class="example" id="example-d62efad6">
+ <a class="self-link" href="#example-d62efad6"></a> A page with the following Content Security Policy:
+<pre>Content-Security-Policy: <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-2">require-sri-for</a> script style
+</pre>
+ <p>is equivalent to Content Security Policy delivered through </p>
+<pre>&lt;meta http-equiv="Content-Security-Policy"
+ content="<a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-3">require-sri-for</a> script style">
+</pre>
+ <p>and requires <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-8">integrity metadata</a> be present in <code>script</code> and <code>link</code> HTML elements that contain <code>src</code> attribute.</p>
+ </div>
<h3 class="heading settled" data-level="3.4" id="response-verification-algorithms"><span class="secno">3.4. </span><span class="content">Response verification algorithms</span><a class="self-link" href="#response-verification-algorithms"></a></h3>
<h4 class="heading settled" data-level="3.4.1" id="apply-algorithm-to-response"><span class="secno">3.4.1. </span><span class="content">Apply <var>algorithm</var> to <var>response</var></span><a class="self-link" href="#apply-algorithm-to-response"></a></h4>
<ol>
@@ -1781,7 +1798,7 @@ <h4 class="heading settled" data-level="3.4.2" id="is-response-eligible"><span c
response to the request, so its body, too, is fully readable by the requestor.</p>
</ul>
</div>
- <h4 class="heading settled" data-level="3.3.3" id="parse-metadata"><span class="secno">3.3.3. </span><span class="content">Parse <var>metadata</var></span><a class="self-link" href="#parse-metadata"></a></h4>
+ <h4 class="heading settled" data-level="3.4.3" id="parse-metadata"><span class="secno">3.4.3. </span><span class="content">Parse <var>metadata</var></span><a class="self-link" href="#parse-metadata"></a></h4>
<p>This algorithm accepts a string, and returns either <code>no metadata</code>, or a set of
valid hash expressions whose hash functions are understood by
the user agent.</p>
@@ -1800,7 +1817,7 @@ <h4 class="heading settled" data-level="3.3.3" id="parse-metadata"><span class="
<p>If <var>token</var> is not a valid metadata, skip the remaining
steps, and proceed to the next token.</p>
<li data-md="">
- <p>Parse <var>token</var> per the grammar in <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-6">integrity metadata</a>.</p>
+ <p>Parse <var>token</var> per the grammar in <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-9">integrity metadata</a>.</p>
<li data-md="">
<p>Let <var>algorithm</var> be the <var>alg</var> component of <var>token</var>.</p>
<li data-md="">
@@ -1893,7 +1910,7 @@ <h3 class="heading settled" data-level="3.5" id="verification-of-html-document-s
<p class="note" role="note">Note: A future revision of this specification is likely to include integrity support
for all possible subresources, i.e., <code>a</code>, <code>audio</code>, <code>embed</code>, <code>iframe</code>, <code>img</code>, <code>link</code>, <code>object</code>, <code>script</code>, <code>source</code>, <code>track</code>, and <code>video</code> elements.</p>
<h3 class="heading settled" data-level="3.6" id="the-integrity-attribute"><span class="secno">3.6. </span><span class="content">The <code>integrity</code> attribute</span><a class="self-link" href="#the-integrity-attribute"></a></h3>
- <p>The <code>integrity</code> attribute represents <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-7">integrity metadata</a> for an element.
+ <p>The <code>integrity</code> attribute represents <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-10">integrity metadata</a> for an element.
The value of the attribute MUST be either the empty string, or at least one
valid metadata as described by the following ABNF grammar:</p>
<pre><dfn data-dfn-type="grammar" data-export="" id="grammardef-integrity-metadata">integrity-metadata<a class="self-link" href="#grammardef-integrity-metadata"></a></dfn> = *<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a> <a data-link-type="grammar" href="#grammardef-hash-with-options" id="ref-for-grammardef-hash-with-options-1">hash-with-options</a> *(1*<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a> <a data-link-type="grammar" href="#grammardef-hash-with-options" id="ref-for-grammardef-hash-with-options-2">hash-with-options</a> ) *<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a> / *<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">WSP</a>
@@ -1943,21 +1960,21 @@ <h4 class="heading settled" data-level="3.9.1" id="link-element-for-stylesheets"
<p>Do a potentially CORS-enabled fetch of the resulting absolute URL, with the
mode being the current state of the element’s crossorigin content attribute,
the origin being the origin of the link element’s Document, the default origin
-behavior set to taint, and the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-8">integrity metadata</a> of the request set to
+behavior set to taint, and the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-11">integrity metadata</a> of the request set to
the value of the element’s <code>integrity</code> attribute.</p>
<h4 class="heading settled" data-level="3.9.2" id="script-element"><span class="secno">3.9.2. </span><span class="content">The <code>script</code> element</span><a class="self-link" href="#script-element"></a></h4>
<p>Replace step 14.1 of HTML5’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a> algorithm with:</p>
<ol>
<li data-md="">
<p>Let <var>src</var> be the value of the element’s <code>src</code> attribute and
- the request’s associated <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-9">integrity metadata</a> be the value of the
+ the request’s associated <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-12">integrity metadata</a> be the value of the
element’s <code>integrity</code> attribute.</p>
</ol>
<h2 class="heading settled" data-level="4" id="proxies"><span class="secno">4. </span><span class="content">Proxies</span><a class="self-link" href="#proxies"></a></h2>
<p>Optimizing proxies and other intermediate servers which modify the
responses MUST ensure that the digest associated
with those responses stays in sync with the new content. One option
-is to ensure that the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-10">integrity metadata</a> associated with
+is to ensure that the <a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-13">integrity metadata</a> associated with
resources is updated. Another
would be simply to deliver only the canonical version of resources
for which a page author has requested integrity verification.</p>
@@ -1967,7 +1984,7 @@ <h2 class="heading settled" data-level="4" id="proxies"><span class="secno">4. <
<h2 class="heading settled" data-level="5" id="security-considerations"><span class="secno">5. </span><span class="content">Security Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
<p><em> This section is not normative.</em></p>
<h3 class="heading settled" data-level="5.1" id="non-secure-contexts"><span class="secno">5.1. </span><span class="content">Non-secure contexts remain non-secure</span><a class="self-link" href="#non-secure-contexts"></a></h3>
- <p><a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-11">Integrity metadata</a> delivered by a context that is not a <a data-link-type="dfn" href="&quot;http://www.w3.org/TR/powerful-features/&quot;#secure-context">Secure
+ <p><a data-link-type="dfn" href="#integrity-metadata" id="ref-for-integrity-metadata-14">Integrity metadata</a> delivered by a context that is not a <a data-link-type="dfn" href="&quot;http://www.w3.org/TR/powerful-features/&quot;#secure-context">Secure
Context</a> such as an HTTP page, only protects an origin against a compromise
of the server where an external resources is hosted. Network attackers can alter
the digest in-flight (or remove it entirely, or do absolutely anything else to
@@ -2065,6 +2082,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
<li><a href="#grammardef-integrity-metadata">integrity-metadata</a><span>, in §3.6</span>
<li><a href="#integrity-metadata">integrity
metadata</a><span>, in §3.1</span>
+ <li><a href="#known-tokens">known tokens</a><span>, in §3.3.1</span>
<li><a href="#grammardef-option-expression">option-expression</a><span>, in §3.6</span>
<li><a href="#origin">origin</a><span>, in §2</span>
<li><a href="#representation-data">representation data</a><span>, in §2</span>
@@ -2080,8 +2098,18 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
<li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">wsp</a>
</ul>
<li>
+ <a data-link-type="biblio">[CSP1]</a> defines the following terms:
+ <ul>
+ <li><a href="https://w3c.github.io/webappsec-csp/#content-security-policy">content security policy</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#directives">directive</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#policy">policy</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#directive-pre-request-check">pre-request check</a>
+ <li><a href="https://w3c.github.io/webappsec-csp/#directive-value">value</a>
+ </ul>
+ <li>
<a data-link-type="biblio">[FETCH]</a> defines the following terms:
<ul>
+ <li><a href="https://fetch.spec.whatwg.org#concept-request-destination">destination</a>
<li><a href="https://fetch.spec.whatwg.org#concept-fetch">fetch</a>
<li><a href="https://fetch.spec.whatwg.org#concept-request">request</a>
<li><a href="https://fetch.spec.whatwg.org#concept-response-type">response type</a>
@@ -2095,8 +2123,13 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
<li><a href="http://www.w3.org/TR/html5/document-metadata.html#concept-link-obtain">obtain a resource</a>
<li><a href="http://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a>
<li><a href="http://www.w3.org/TR/html5/infrastructure.html#reflect">reflect</a>
- <li><a href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">split on spaces</a>
- <li><a href="http://www.w3.org/TR/html5/scripting-1.html#split-a-string-on-spaces">splitting tokens on spaces</a>
+ <li><a href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">split a string on spaces</a>
+ </ul>
+ <li>
+ <a data-link-type="biblio">[rfc7230]</a> defines the following terms:
+ <ul>
+ <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.3">rws</a>
+ <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a>
</ul>
<li>
<a data-link-type="biblio">[rfc7234]</a> defines the following terms:
@@ -2188,26 +2221,26 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
<aside class="dfn-panel" data-for="cross-origin">
<b><a href="#cross-origin">#cross-origin</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-cross-origin-1">3.3.2. Is response eligible for integrity validation?</a>
+ <li><a href="#ref-for-cross-origin-1">3.4.2. Is response eligible for integrity validation?</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="same-origin">
<b><a href="#same-origin">#same-origin</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-same-origin-1">3.3.2. Is response eligible for integrity validation?</a>
+ <li><a href="#ref-for-same-origin-1">3.4.2. Is response eligible for integrity validation?</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="representation-data">
<b><a href="#representation-data">#representation-data</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-representation-data-1">3.3.1. Apply algorithm to response</a> <a href="#ref-for-representation-data-2">(2)</a>
+ <li><a href="#ref-for-representation-data-1">3.4.1. Apply algorithm to response</a> <a href="#ref-for-representation-data-2">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="base64-encoding">
<b><a href="#base64-encoding">#base64-encoding</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-base64-encoding-1">3.1. Integrity metadata</a>
- <li><a href="#ref-for-base64-encoding-2">3.3.1. Apply algorithm to response</a>
+ <li><a href="#ref-for-base64-encoding-2">3.4.1. Apply algorithm to response</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="integrity-metadata">
@@ -2216,49 +2249,63 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
<li><a href="#ref-for-integrity-metadata-1">1.2.1. Resource Integrity</a> <a href="#ref-for-integrity-metadata-2">(2)</a> <a href="#ref-for-integrity-metadata-3">(3)</a>
<li><a href="#ref-for-integrity-metadata-4">3.2. Cryptographic hash functions</a>
<li><a href="#ref-for-integrity-metadata-5">3.2.1. Agility</a>
- <li><a href="#ref-for-integrity-metadata-6">3.3.3. Parse metadata</a>
- <li><a href="#ref-for-integrity-metadata-7">3.5. The integrity attribute</a>
- <li><a href="#ref-for-integrity-metadata-8">3.8.1. The link element for stylesheets</a>
- <li><a href="#ref-for-integrity-metadata-9">3.8.2. The script element</a>
- <li><a href="#ref-for-integrity-metadata-10">4. Proxies</a>
- <li><a href="#ref-for-integrity-metadata-11">5.1. Non-secure contexts remain non-secure</a>
+ <li><a href="#ref-for-integrity-metadata-6">3.3.3. Apply algorithm to request</a> <a href="#ref-for-integrity-metadata-7">(2)</a> <a href="#ref-for-integrity-metadata-8">(3)</a>
+ <li><a href="#ref-for-integrity-metadata-9">3.4.3. Parse metadata</a>
+ <li><a href="#ref-for-integrity-metadata-10">3.6. The integrity attribute</a>
+ <li><a href="#ref-for-integrity-metadata-11">3.9.1. The link element for stylesheets</a>
+ <li><a href="#ref-for-integrity-metadata-12">3.9.2. The script element</a>
+ <li><a href="#ref-for-integrity-metadata-13">4. Proxies</a>
+ <li><a href="#ref-for-integrity-metadata-14">5.1. Non-secure contexts remain non-secure</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="getprioritizedhashfunction">
<b><a href="#getprioritizedhashfunction">#getprioritizedhashfunction</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-getprioritizedhashfunction-1">3.2.2. Priority</a>
- <li><a href="#ref-for-getprioritizedhashfunction-2">3.3.4. Get the strongest metadata from set</a>
+ <li><a href="#ref-for-getprioritizedhashfunction-2">3.4.4. Get the strongest metadata from set</a>
+ </ul>
+ </aside>
+ <aside class="dfn-panel" data-for="require-sri-for">
+ <b><a href="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b>
+ <ul>
+ <li><a href="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a>
+ <li><a href="#ref-for-require-sri-for-2">3.3.3. Apply algorithm to request</a> <a href="#ref-for-require-sri-for-3">(2)</a>
+ </ul>
+ </aside>
+ <aside class="dfn-panel" data-for="known-tokens">
+ <b><a href="#known-tokens">#known-tokens</a></b><b>Referenced in:</b>
+ <ul>
+ <li><a href="#ref-for-known-tokens-1">3.3.2. Parsing require-sri-for</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-hash-with-options">
<b><a href="#grammardef-hash-with-options">#grammardef-hash-with-options</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-hash-with-options-1">3.5. The integrity attribute</a> <a href="#ref-for-grammardef-hash-with-options-2">(2)</a>
+ <li><a href="#ref-for-grammardef-hash-with-options-1">3.6. The integrity attribute</a> <a href="#ref-for-grammardef-hash-with-options-2">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-option-expression">
<b><a href="#grammardef-option-expression">#grammardef-option-expression</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-option-expression-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-option-expression-1">3.6. The integrity attribute</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-hash-algo">
<b><a href="#grammardef-hash-algo">#grammardef-hash-algo</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-hash-algo-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-hash-algo-1">3.6. The integrity attribute</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-base64-value">
<b><a href="#grammardef-base64-value">#grammardef-base64-value</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-base64-value-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-base64-value-1">3.6. The integrity attribute</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="grammardef-hash-expression">
<b><a href="#grammardef-hash-expression">#grammardef-hash-expression</a></b><b>Referenced in:</b>
<ul>
- <li><a href="#ref-for-grammardef-hash-expression-1">3.5. The integrity attribute</a>
+ <li><a href="#ref-for-grammardef-hash-expression-1">3.6. The integrity attribute</a>
</ul>
</aside>
<script>/* script-dfn-panel */
View
8 index.html
@@ -8,7 +8,7 @@
var respecConfig = {
// specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
// Member-SUBM
- specStatus: "PR",
+ specStatus: "REC",
// the specification's short name, as in http://www.w3.org/TR/short-name/
shortName: "SRI",
@@ -21,8 +21,8 @@
edDraftURI: "https://w3c.github.io/webappsec-subresource-integrity/",
crEnd: "2015-12-15",
- previousMaturity: "WD",
- previousPublishDate: "2015-10-06",
+ previousMaturity: "PR",
+ previousPublishDate: "2016-05-10",
implementationReportURI: "https://github.com/w3c/webappsec-subresource-integrity/wiki/Links",
@@ -31,7 +31,7 @@
editors: [
{ name: "Devdatta Akhawe", url: "http://devd.me", mailto: "[email protected]", company: "Dropbox, Inc.", companyURL: "https://www.dropbox.com/"},
{ name: "Frederik Braun", url: "https://frederik-braun.com/", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/", w3cid: 68466 },
- { name: "Francois Marier", url: "https://fmarier.org", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/" },
+ { name: "François Marier", url: "https://fmarier.org", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/" },
{ name: "Joel Weinberger", url: "https://joelweinberger.us/", mailto: "[email protected]", company: "Google, Inc.", companyURL: "https://google.com/" },
],
View
8 template.erb
@@ -8,7 +8,7 @@
var respecConfig = {
// specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
// Member-SUBM
- specStatus: "PR",
+ specStatus: "REC",
// the specification's short name, as in http://www.w3.org/TR/short-name/
shortName: "SRI",
@@ -21,8 +21,8 @@
edDraftURI: "https://w3c.github.io/webappsec-subresource-integrity/",
crEnd: "2015-12-15",
- previousMaturity: "WD",
- previousPublishDate: "2015-10-06",
+ previousMaturity: "PR",
+ previousPublishDate: "2016-05-10",
implementationReportURI: "https://github.com/w3c/webappsec-subresource-integrity/wiki/Links",
@@ -31,7 +31,7 @@
editors: [
{ name: "Devdatta Akhawe", url: "http://devd.me", mailto: "[email protected]", company: "Dropbox, Inc.", companyURL: "https://www.dropbox.com/"},
{ name: "Frederik Braun", url: "https://frederik-braun.com/", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/", w3cid: 68466 },
- { name: "Francois Marier", url: "https://fmarier.org", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/" },
+ { name: "François Marier", url: "https://fmarier.org", mailto: "[email protected]", company: "Mozilla", companyURL: "https://www.mozilla.org/" },
{ name: "Joel Weinberger", url: "https://joelweinberger.us/", mailto: "[email protected]", company: "Google, Inc.", companyURL: "https://google.com/" },
],

0 comments on commit cc16d00

Please sign in to comment.