Summary: Allow web authors to add integrity checks to sub-resources. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096
Spec: http://www.w3.org/TR/SRI/ Platforms: all Estimated or target release: Q1 of 2015 Preference behind which this will be implemented: security.subResourceIntegrity.enable Background: The best way to explain this is through an example. If you have the following: <script src="https://code.jquery.com/jquery-1.10.2.min.js"; integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=application/javascript"> then the browser will refuse to execute the script if someone has gained access to the jQuery servers and has replaced the script with a malicious one (the hash won't match the expected one). Our initial implementation will be limited to integrity checks for script tags and stylesheets. While the spec is still evolving, we expect to cover everything that ends up in level 1 of the spec. Feel free to contact me if you have any questions. Francois _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
