Integrity-Policy header for scripts

[yoavweiss]

Request for Mozilla Position on an Emerging Web Specification

• Specification title: Integrity-Policy header for scripts
• Specification or proposal URL (if available): Add Integrity-Policy for scripts w3c/webappsec-subresource-integrity#133
• Explainer URL (if available): Add Integrity-Policy for scripts w3c/webappsec-subresource-integrity#133
• Proposal author(s) (@-mention GitHub accounts): @yoavweiss
• Caniuse.com URL (optional):
• Bugzilla URL (optional):
• Mozillians who can provide input (optional): @zcorpan @mozfreddyb
• WebKit standards-position: Integrity-Policy header for scripts WebKit/standards-positions#458

Other information

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.

The Integrity-Policy header gives developers the ability to assert that every resource of a given type needs to be integrity-checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a violation report.

This is a revival of CSP's require-sri-for

[zcorpan]

cc @mozfreddyb

[mozfreddyb]

And forwarding to @beurdouche and @tomrittervg 😉

[tomrittervg]

We have been thinking about and discussing this, we'd like to talk more on the upcoming call. :)

[yoavweiss]

Edited the title and description to reflect the latest thinking on this, as discussed with @mozfreddyb & @tomrittervg

[beurdouche]

We are positive about this as this is the first milestone towards an improved Web Application Integrity Consistency and Transparency mechanism for the Web.