SRI: One more time, for the link checker. :(

w3c · 2819f1a46d787868f7b3782b8a734e6ae173aa31 · mikewest committed Mar 13, 2014 · Mar 13, 2014 · 2819f1a
1 parent d5f98b3
commit 2819f1a46d787868f7b3782b8a734e6ae173aa31
Unified Split

Showing with 19 additions and 12 deletions.

+5 −5 20140318/index.html

+11 −4 index.html

+3 −3 spec.markdown
diff --git a/20140318/index.html b/20140318/index.html
@@ -436,7 +436,7 @@
   </p>
   <h1 class="title p-name" id="title" property="dcterms:title">Subresource Integrity</h1>
   
-  <h2 property="dcterms:issued" datatype="xsd:dateTime" content="2014-03-18T09:26:21.000Z" id="w3c-first-public-working-draft-18-march-2014"><abbr title="World Wide Web Consortium">W3C</abbr> First Public Working Draft <time class="dt-published" datetime="2014-03-18">18 March 2014</time></h2>
+  <h2 property="dcterms:issued" datatype="xsd:dateTime" content="2014-03-18T09:32:37.000Z" id="w3c-first-public-working-draft-18-march-2014"><abbr title="World Wide Web Consortium">W3C</abbr> First Public Working Draft <time class="dt-published" datetime="2014-03-18">18 March 2014</time></h2>
   <dl>
     
       <dt>This version:</dt>
@@ -740,7 +740,7 @@ <h4 id="fallback" aria-level="3" role="heading"><span class="secno">1.2.3 </span
           <p>An author wishes to load a resource over an insecure channel for performance
 reasons, but fall back to a secure channel if the insecurely-loaded resource
 is manipulated. She can do this by adding <a href="#dfn-integrity-metadata">integrity metadata</a> and a
-<a href="#the-noncanonical-src-attribute">non-canonical source</a> to the <code>script</code> element:</p>
+<a href="#the-noncanonical-src-attribute-todo">non-canonical source</a> to the <code>script</code> element:</p>
 
           <div class="example"><div class="example-title"><span>Example 5</span></div><pre class="example highlight prettyprint prettyprinted"><code><span class="tag">&lt;script</span><span class="pln"> </span><span class="atn">src</span><span class="pun">=</span><span class="atv">"https://rockin-resources.com/script.js"</span><span class="pln">
         </span><span class="atn">noncanonical-src</span><span class="pun">=</span><span class="atv">"http://insecurity-is-inherent.net/script.js"</span><span class="pln">
@@ -1088,7 +1088,7 @@ <h4 id="the-integrity-attribute" aria-level="3" role="heading"><span class="secn
       <pre><code>integrity-metatata = "" / 1#( *WSP NI-URL ) *WSP ]
 </code></pre>
 
-      <p>The <code>NI-URL</code> rule is defined in <a href="http://tools.ietf.org/html/rfc6920#section3">RFC6920, section 3, figure 4</a>.</p>
+      <p>The <code>NI-URL</code> rule is defined in <a href="http://tools.ietf.org/html/rfc6920#section-3">RFC6920, section 3, figure 4</a>.</p>
 
       <p>The <code>integrity</code> IDL attribute must <a href="http://www.w3.org/TR/html5/infrastructure.html#reflect">reflect</a> the <code>integrity</code> content attribute.</p>
 
@@ -1235,7 +1235,7 @@ <h4 id="handling-integrity-violations" aria-level="3" role="heading"><span class
 a fallback resource as specified for each relevant element. If the fallback
 resource fails an integrity check, the user agent <em class="rfc2119" title="MUST">MUST</em> refuse to render or
 execute the resource, <em>and</em> <em class="rfc2119" title="MUST">MUST</em> <a href="http://www.w3.org/TR/CSP11/#dfn-report-a-violation">report a(nother)
-violation</a>. (See <a href="#the-noncanonical-src-attribute">the <code>noncanonical-src</code>
+violation</a>. (See <a href="#the-noncanonical-src-attribute-todo">the <code>noncanonical-src</code>
 attribute</a> for a strawman of how that might look).</p></div>
 
       <div class="issue"><div class="issue-title" aria-level="4" role="heading" id="h_issue_7"><span>Issue 7</span></div><p class="">If the document’s integrity policy contains <code>require-for-all</code>, the user agent
@@ -1882,7 +1882,7 @@ <h3 id="recommendations" aria-level="2" role="heading"><span class="secno">4.2 <
       <li>The integrity metadata uses a hash function with very strong uniqueness
 characteristics: SHA-512 or better.</li>
       <li>If a Content Security Policy is active in a context, the <code>script</code> or
-<code>link</code> element which triggered the resource’s fetch has a <a href="http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#valid-nonces">valid nonce</a>.</li>
+<code>link</code> element which triggered the resource’s fetch has a <a href="http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html">valid nonce</a>.</li>
     </ul>
 
     <div class="issue"><div class="issue-title" aria-level="3" role="heading" id="h_issue_16"><span>Issue 16</span></div><p class="">More ideas? Limiting to resources with wide-open CORS headers and strong
diff --git a/index.html b/index.html
@@ -280,7 +280,7 @@ <h4 id="fallback">Fallback</h4>
           <p>An author wishes to load a resource over an insecure channel for performance
 reasons, but fall back to a secure channel if the insecurely-loaded resource
 is manipulated. She can do this by adding <a href="#dfn-integrity-metadata">integrity metadata</a> and a
-<a href="#the-noncanonical-src-attribute">non-canonical source</a> to the <code>script</code> element:</p>
+<a href="#the-noncanonical-src-attribute-todo">non-canonical source</a> to the <code>script</code> element:</p>
 
           <pre class="example highlight"><code>&lt;script src="https://rockin-resources.com/script.js"
         noncanonical-src="http://insecurity-is-inherent.net/script.js"
@@ -621,7 +621,7 @@ <h4 id="the-integrity-attribute">The <code>integrity</code> attribute</h4>
       <pre><code>integrity-metatata = "" / 1#( *WSP NI-URL ) *WSP ]
 </code></pre>
 
-      <p>The <code>NI-URL</code> rule is defined in <a href="http://tools.ietf.org/html/rfc6920#section3">RFC6920, section 3, figure 4</a>.</p>
+      <p>The <code>NI-URL</code> rule is defined in <a href="http://tools.ietf.org/html/rfc6920#section-3">RFC6920, section 3, figure 4</a>.</p>
 
       <p>The <code>integrity</code> IDL attribute must <a href="http://www.w3.org/TR/html5/infrastructure.html#reflect">reflect</a> the <code>integrity</code> content attribute.</p>
 
@@ -778,7 +778,7 @@ <h4 id="handling-integrity-violations">Handling integrity violations</h4>
 a fallback resource as specified for each relevant element. If the fallback
 resource fails an integrity check, the user agent MUST refuse to render or
 execute the resource, <em>and</em> MUST <a href="http://www.w3.org/TR/CSP11/#dfn-report-a-violation">report a(nother)
-violation</a>. (See <a href="#the-noncanonical-src-attribute">the <code>noncanonical-src</code>
+violation</a>. (See <a href="#the-noncanonical-src-attribute-todo">the <code>noncanonical-src</code>
 attribute</a> for a strawman of how that might look).</p>
 
       <p class="issue" data-number="7">If the document&#8217;s integrity policy contains <code>require-for-all</code>, the user agent
@@ -906,6 +906,13 @@ <h6 id="the-iframe-element">The <code>iframe</code> element</h6>
           </li>
         </ul>
 
+        <div class="note">
+          <p>Note that this will <em>only</em> check the integrity of the <code>iframe</code>&#8217;s document source.
+No subsequent verification for the document&#8217;s subresources is perfomed.
+If integrity checks for the document&#8217;s subresources are desirable, the document
+loaded into the <code>iframe</code> needs to include <a href="#dfn-integrity-metadata">integrity metadata</a> for its subresources.</p>
+        </div>
+
         <p class="issue" data-number="8">How does this effect things like the preload scanner? How much work is it
 going to be for vendors to change the &#8220;display whatever we&#8217;ve got, ASAP!&#8221;
 behavior that makes things fast for users? How much impact will there be
@@ -1421,7 +1428,7 @@ <h4 id="recommendations">Recommendations</h4>
       <li>The integrity metadata uses a hash function with very strong uniqueness
 characteristics: SHA-512 or better.</li>
       <li>If a Content Security Policy is active in a context, the <code>script</code> or
-<code>link</code> element which triggered the resource&#8217;s fetch has a <a href="http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#valid-nonces">valid nonce</a>.</li>
+<code>link</code> element which triggered the resource&#8217;s fetch has a <a href="http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html">valid nonce</a>.</li>
     </ul>
 
     <p class="issue" data-number="16">More ideas? Limiting to resources with wide-open CORS headers and strong
diff --git a/spec.markdown b/spec.markdown
@@ -475,7 +475,7 @@ following ABNF grammar:
 
 The `NI-URL` rule is defined in [RFC6920, section 3, figure 4][niurl].
 
-[niurl]: http://tools.ietf.org/html/rfc6920#section3
+[niurl]: http://tools.ietf.org/html/rfc6920#section-3
 
 The `integrity` IDL attribute must [reflect][] the `integrity` content attribute.
 
@@ -488,7 +488,7 @@ between algorithms.
 
 <section>
 #### The `noncanonical-src` attribute (TODO)
-[noncanonical]: #the-noncanonical-src-attribute
+[noncanonical]: #the-noncanonical-src-attribute-todo
 
 Authors MAY opt-in to a fallback mechanism whereby user agents would initially
 attempt to load resources from a non-canonical source (perhaps over HTTP, for
@@ -1187,7 +1187,7 @@ are all true:
 *   If a Content Security Policy is active in a context, the `script` or
     `link` element which triggered the resource's fetch has a [valid nonce][].
 
-[valid nonce]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#valid-nonces
+[valid nonce]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
 
 More ideas? Limiting to resources with wide-open CORS headers and strong
 hash functions seems like a reasonable start...