Contact emailsyoavwe...@chromium.org ExplainerNot yet
SpecificationNot yet Summary The `require-sri-for` directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report. Blink componentBlink>SecurityFeature>ContentSecurityPolicy <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22> Motivation Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI. The `require-sri-for` CSP directive would enable developers achieve that. Initial public proposalThis revives an old I2I <https://groups.google.com/a/chromium.org/g/blink-dev/c/jyCdW1dHyYA/m/UHJo6O1RAQAJ> for the ~same API. TAG reviewNot yet TAG review status N/A Risks Interoperability and Compatibility No particular compatibility concern. It's too early to discuss interop risks, but at worst, this directive would apply (voluntary) content restrictions which won't be applied in non-supporting browsers. So I wouldn't expect content to break in other browsers. *Gecko*: No signal. Haven't asked yet. *WebKit*: No signal. Haven't asked yet. *Web developers*: No signals, but I suspect PCIv4 <https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0> would make some developers interested in making sure their documents' scripts have complete integrity checks. *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes <https://chromium-review.googlesource.com/c/chromium/src/+/5877633> Flag name on about://flagsNone Finch feature nameRequireSRIFor Non-finch justificationNone Requires code in //chrome?False Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5090023365672960?gate=5197803019829248 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJUygAmobR9dRkDr%3DBWQ1h5hv2Lj3WUFN31QZF360A47A%40mail.gmail.com.
