Skip to content

Integrity-Policy integration #11334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

yoavweiss
Copy link
Contributor

@yoavweiss yoavweiss commented May 26, 2025

This is a followup on w3c/webappsec-subresource-integrity#133:

  • Defining integrity policy and report only integrity policy on "policy container"
  • Integrating "parse integrity policy headers" into "create a policy container from fetch response"

(See WHATWG Working Mode: Changes for more details.)


/browsers.html ( diff )
/infrastructure.html ( diff )

@yoavweiss yoavweiss requested a review from domenic May 26, 2025 23:51

<li><p>An <dfn export for="policy container" data-x="policy-container-integrity-policy">integrity
policy</dfn>, which is an <span data-x="integrity policy struct">integrity policy struct</span>.
</p></li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No whitespace between . and <

@@ -2747,6 +2747,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li><dfn data-x-href="https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata">parse integrity metadata</dfn></li>
<li><dfn data-x-href="https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute">the requirements of the integrity attribute</dfn></li>
<li><dfn data-x-href="https://w3c.github.io/webappsec-subresource-integrity/#get-the-strongest-metadata">get the strongest metadata from set</dfn></li>
<li><dfn data-x-href="https://w3c.github.io/webappsec-subresource-integrity/#integrity-policy-struct">integrity policy struct</dfn></li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love including "struct" in the names.

@@ -90683,6 +90693,9 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
`<code>Referrer-Policy</code>` header</span> given <var>response</var>.
<ref>REFERRERPOLICY</ref></p></li>

<li><p><span data-x="parse Integrity-Policy headers">Parse Integrity-Policy headers</span> with
<var>Response</var> and <var>result</var>.</p></li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<var>Response</var> and <var>result</var>.</p></li>
<var>vesponse</var> and <var>result</var>.</p></li>


<li><p>A <dfn export for="policy container"
data-x="policy-container-report-only-integrity-policy">report only integrity policy</dfn>, which
is an <span data-x="integrity policy struct">integrity policy struct</span>.</p></li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What values do these have for policy containers not created from "create a policy container from a fetch response"? E.g. the fallback case in "determine navigation params policy container", or the one created in "snapshot source snapshot params" for browser UI-initiated navigations, or the one created in "Loading a document for inline content that doesn't have a DOM", or the initial values for documents and workers?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants