/webappsec-subresource-integrity

New issue

Add an SRI control as either a CSP directive or a new header #23

Open
metromoxie opened this Issue Dec 22, 2015 · 3 comments

Labels

enhancement

Milestone

No milestone

Assignees

No one assigned

3 participants

@metromoxie @jonathanKingston @mozfreddyb
@metromoxie
metromoxie commented Dec 22, 2015

Per the suggestion in https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html, it might make sense to extend CSP with a directive to control SRI. For example, we could have an sri-options directive that can take options like scripts-require-sri. This would also be a good place to eventually have a report-only option for SRI.

@jonathanKingston
jonathanKingston commented Dec 23, 2015

See also previous discussions: w3c/webappsec#16 (comment)

@mozfreddyb
mozfreddyb commented Jan 4, 2016

How is this tied to CSP? I'm wondering if the Integrity Policy should come in its own header.

@metromoxie
metromoxie commented Jan 4, 2016

In fact, the rest of that thread eventually makes the point that it may make sense to put it in its own header :-) There isn't consensus, about whether it should be a CSP directive or a separate header, so I'll rename this issue appropriately.

@metromoxie metromoxie changed the title from Add a CSP SRI directive to Add an SRI control as either a CSP directive or a new header Jan 4, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment