Skip to content

Integrity-Policy header for scripts #458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yoavweiss opened this issue Feb 10, 2025 · 4 comments
Open

Integrity-Policy header for scripts #458

yoavweiss opened this issue Feb 10, 2025 · 4 comments
Labels
from: other Proposed, edited, or co-edited by an individual or entity that doesn't have a more specific label. topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)

Comments

@yoavweiss
Copy link

yoavweiss commented Feb 10, 2025
edited
Loading

WebKittens

@annevk

Title of the proposal

Integrity-Policy header for scripts

URL to the spec

w3c/webappsec-subresource-integrity#133

URL to the spec's repository

No response

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

w3ctag/design-reviews#1048

Mozilla standards-positions issue URL

No response

WebKit Bugzilla URL

No response

Radar URL

No response

Description

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.

The Integrity-Policy header gives developers the ability to assert that every resource of a given type needs to be integrity-checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a violation report.
This was referenced Feb 6, 2025
Closed
Open
@annevk
Copy link
Contributor

annevk commented Apr 8, 2025

Overall this seems like a reasonable problem to solve, but given the proposal is still evolving we haven't yet established a position. cc @sysrqb

@annevk annevk added topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec) from: other Proposed, edited, or co-edited by an individual or entity that doesn't have a more specific label. labels Apr 8, 2025
@yoavweiss yoavweiss changed the title require-sri-for CSP directive Integrity-Policy header for scripts Apr 23, 2025
@yoavweiss
Copy link
Author

Updated the title and description to reflect the latest thinking.

@yoavweiss
Copy link
Author

@annevk - The latest design is in w3c/webappsec-subresource-integrity#133 (and can probably benefit from your review :) )

@annevk
Copy link
Contributor

annevk commented May 14, 2025

The proposal seems reasonably mature now and agreeable, although the larger issue of the total number of policies to configure remains a concern. As such I suggest we mark this as "position: support" one week from now.

This was referenced May 23, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
from: other Proposed, edited, or co-edited by an individual or entity that doesn't have a more specific label. topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yoavweiss @annevk