/webappsec-subresource-integrity

New issue

Extend SRI to apply to <link rel=preload> #26

Open
metromoxie opened this Issue Jan 13, 2016 · 3 comments

Labels

None yet

Milestone

  v2

Assignees

No one assigned

4 participants

@metromoxie @fmarier @igrigorik @mozfreddyb
@metromoxie
metromoxie commented Jan 13, 2016

This could allow a developer to put an integrity on a preload such that they don't need to markup every instance of the resource in the DOM. For example, place the integrity on the preload at the top of the page and allow resources to be programmatically added without any need to add an integrity attribute. @yoavweiss @igrigorik

@fmarier
World Wide Web Consortium member
fmarier commented Jan 13, 2016

This could allow a developer to put an integrity on a preload such that they don't need to markup every instance of the resource in the DOM.

What if a user has disabled preload / prefetch? They effectively be disabling SRI?

@metromoxie
metromoxie commented Jan 13, 2016

Is that a thing? Why can users disable ? I'll have to let @yoavweiss and @igrigorik comment on that, as I know almost nothing about that spec.

@igrigorik
World Wide Web Consortium member
igrigorik commented Jan 13, 2016

The user can't disable declarative prefetch/preload - e.g. if you were able to, the developer can just fallback to injecting an img/xhr, etc, so this is a noop setting. The user may be able to disable speculative prefetch - e.g. fetches initiated by the browser based on navigation history or other signals.

What we're talking about here is declarative prefetch/preload.

This was referenced Jan 25, 2016
Closed
Closed
@mozfreddyb mozfreddyb added this to the v2 milestone Aug 31, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment