Background: w3c/webappsec-csp#85.

Please don't remove index.html in your branch.

Please don't remove index.html in your branch.

I thought approach here is the same as in CSP, where maintainer commits bikeshed output.
I amended commit to include index.bikeshed.html.
I haven't changed spec.markdown, which is the producer of index.html assuming development was switched to used Bikeshed. Should I port my changes to Markdown after we are done, to get updated index.html?

spec.markdown and index.html are SRI version 1, which we can't modify lightly.
require-sri-for should land in the next SRI version, so I'd prefer you only patch index.bikeshed.bs :)

Looks good from my side. Thank you for writing this down, Sergey!
paging other spec editors @metromoxie, @devd @fmarier

lgtm % nits/minor comments. Thanks a lot, @shekyan!

This looks like a good start, but I have some questions that I've left inline. Thanks!

@mikewest , please review if this looks sane when you have a chance.

Seems pretty reasonable to me % the comments I left. I'll leave the question of which files to touch to the SRI editors who know what's up there.

Again, thank you Sergey for bearing with our endless feedback :-)
(Also thanks to @mikewest for reviewing!)

I think this PR needs wording that suggests a missing integrity attribute will trigger a CSP violation report.

Addressed @mikewest and @mozfreddyb comments. I don't know if we want to allow this directive be delivered through header only or within <meta> element as well. Thoughts?

I see no harm in allowing it in <meta> other than our general push to allow fewer things there. I suppose if we extend the directive later, we could be sad, if, for example, we allow requiring certain algorithms, then there might be a path to downgrading what algorithms we enforce, but that does already require injection on the page.

@mikewest, what do you think?

The only things we've banned from <meta> were things that were dangerous (report-uri), or difficult to apply at runtime (sandbox and frame-ancestors). I don't think this directive would be difficult to apply (though it probably has some interaction with the preload scanner that we'll need to document somewhere).

LGTM % nits.

Folks, there is currently a problem in @mozfreddyb's implementation around resources loaded from CORS-disabled servers. It needs to be reflected in the spec, so I'll start the discussion here:

require-sri-for matching algorithm should allow requests that are missing both integrity metadata and CORS setting attribute, Otherwise, require-sri-for usage is limited to pages that load resources only from CORS-enabled servers.

Example: Content-Security-Policy: require-sri-for script implies that all script elements should have integrity metadata present, but it is not possible to have integrity metadata on resources that are served by CORS-disabled servers, like https://www.google-analytics.com/analytics.js.

What do you think?

P.S. Is there a way to load a resource anonymously from CORS-unaware servers without violating SOP?
Do not see why crossorigin='anonymous' requires server to be CORS-aware.

FWIW, lgtm with this PR now that @mikewest has approved the change. @devd do you want to review the change? Or should we go ahead and merge?

My understanding is that this only affects scripts/styles inserted through HTML elements. (because that's what SRI is defined for right now). If so, should the tokens be named script-element rather than just script? e.g., what if a service worker is served with a CSP policy of require-sri-for? How will that work?

I think it's substantially cleaner to reuse the terms from Fetch (https://fetch.spec.whatwg.org/#concept-request-destination) rather than inventing new subsets. Doing so ensures that you'll actually have the detail necessary to block requests. Note, for instance, that Fetch doesn't have any information that would allow it to distinguish <script src='whatever'> and importScripts(whatever).

The argument that SRI doesn't yet support importScripts seems like a poor reason for introducing more complexity to script loading. It instead seems like a good reason to extend SRI to support more resource types, which I think y'all are planning to do anyway. :)

They'd break right away in the presence of this directive, since we'd be blocking the requests. They'd start working once we support those mechanisms. Sounds like a good reason to start widening our support. :)

@mikewest, I agree with @devd. In Fetch, destination "script" is for both <script> and importScripts(). Or, destination "media" is for HTML's <audio>, <track>, <video>. So if we reuse terms from Fetch 1-to-1, it might lead to less granular control in the future.

require-sri-for matching algorithm should allow requests that are missing both integrity metadata and CORS setting attribute, Otherwise, require-sri-for usage is limited to pages that load resources only from CORS-enabled servers.

I thought that's the intention behind all this? That nobody can use scripts without using integrity (and thus requesting from a CORS-enabled server or a same-origin server).

To answer the other question: require-sri-for should work in <meta> CSP policies. Firefox Nightly does not this and that's a bug 🐞 .

I thought that's the intention behind all this? That nobody can use scripts without using integrity (and thus requesting from a CORS-enabled server or a same-origin server).

Yes, but if SRI does not provide a way to verify integrity of a resource from CORS-disabled server, then that resource should not be subject to require-sri-for, no?

Again, that sounds to me like an argument that SRI should be extended to support resource types it doesn't yet support, not that the current model is a bad one.

Yes, but if SRI does not provide a way to verify integrity of a resource from CORS-disabled server, then that resource should not be subject to require-sri-for, no?

I strongly disagree. If there's no way to verify integrity, then there's no way that resource is safe to use. The keyword quite literally says require integrity ;)

I strongly disagree. If there's no way to verify integrity, then there's no way that resource is safe to use. The keyword quite literally says require integrity ;)

Ultimately, I agree with you, e.g. SRI should be able to verify the integrity of all <script> elements, except if they should not be verified for security reasons.
Practically, require-sri-for would have very limited usage today, because, for example, Google Analytics serves it's code without Access-Control-Allow-Origin, so no way to load the resource anonymously, thus enable SRI on it.
I don't know if anything can be done on SRI land to fix this.
I'll try to tackle CORS spec authors to understand why it is not possible to send anonymous requests to CORS-disabled servers.

Oh man. I totally missed @mikewest comment. I am ok with that and this PR seems to be ready to go then if there is no other objections!

@devd, added a note.

thanks! this looks good. merging since everyone else ok'ed it.

Would y'all mind publishing this document somewhere? It's tough to skim through sections when reviewing patches, as I end up needing to come back to this PR rather than reading a nicely formatted doc. :)

done at https://w3c.github.io/webappsec-subresource-integrity/index.bikeshed.html

Since v1 is in the final stages of becoming a rec, I din't want to touch index.html. Once it is done, I will update index.html too.

Just now saw this was merged. Thanks so much for the effort ❤️.

FYI, I started a discussion on the mailing list. It is about APIs that do not know about integrity metadata (e.g. CSS @import and importScript() and the new Worker constructor in JS) and whether they should be blocked by require-sri-for.

Please read the thread and send your feedback!
https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0027.html

cc @ptoomey3 @shekyan @devd