attempt to write down require-sri-for directive as part of SRI
#32
Conversation
| @@ -343,7 +354,47 @@ implementation detail. It is not an API that implementors | |||
| provide to web applications. It is used in this document | |||
| only to simplify the algorithm description. | |||
|
|
|||
| ## Response verification algorithms ## {#verification-algorithms} | |||
| ## Request verification algorithms ## {#request-verification-algorithms} | |||
There was a problem hiding this comment.
Don't we still want to verify the response?
There was a problem hiding this comment.
Right, sorry. I got confused by the diff viewer.
|
Please don't remove index.html in your branch. |
I thought approach here is the same as in CSP, where maintainer commits bikeshed output. |
|
spec.markdown and index.html are SRI version 1, which we can't modify lightly. |
|
Looks good from my side. Thank you for writing this down, Sergey! |
shekyan
force-pushed
the
require-sri-for
branch
2 times, most recently
from
c004594 to
e9c485f
Compare
|
|
||
| ### Opting-in {#opt-in-require-sri-for} | ||
|
|
||
| Authors may opt a Document to require SRI metadata be present for |
There was a problem hiding this comment.
Should "Document" be a link to a definition?
|
lgtm % nits/minor comments. Thanks a lot, @shekyan! |
| ### Apply |algorithm| to |request| ### {#apply-algorithm-to-request} | ||
|
|
||
| 1. Let |protected resource types| be the result of applying [[#parse-require-sri-for]] | ||
| to the value of the <a>require-sri-for</a> directive. |
There was a problem hiding this comment.
I think this needs to be clarified. A few questions come to mind:
- It's not at all clear what "the
require-sri-fordirective" refers to. I think you probably want to talk about|request|'sclient's (responsible document/global object's)CSP list? - Once you have a CSP list, it's not clear what you expect the behavior to be in the case of conflicting instructions (e.g. one policy with
require-sri-for scriptand another withrequire-sri-for style). - Lots of things have a
typeofscriptthat you might not intend. For example, do you intend for this to apply to {Web,Shared,Service}Workers as well (e.g.new Workerin the document, andimportScriptinside the worker)? If so, SRI probably needs to define that mechanism. Likewise, we treat XSLT asscript-src: should we treat it as "script" here?
|
This looks like a good start, but I have some questions that I've left inline. Thanks! |
|
@mikewest , please review if this looks sane when you have a chance. |
| type: dfn | ||
| text: Content Security Policy; urlPrefix: # | ||
| text: policy; url: policy | ||
| text: pre-request check; url: #directive-pre-request-check |
|
Seems pretty reasonable to me % the comments I left. I'll leave the question of which files to touch to the SRI editors who know what's up there. |
|
Again, thank you Sergey for bearing with our endless feedback :-) I think this PR needs wording that suggests a missing integrity attribute will trigger a CSP violation report. |
|
Folks, there is currently a problem in @mozfreddyb's implementation around resources loaded from CORS-disabled servers. It needs to be reflected in the spec, so I'll start the discussion here:
Example: What do you think? P.S. Is there a way to load a resource anonymously from CORS-unaware servers without violating SOP? |
|
My understanding is that this only affects scripts/styles inserted through HTML elements. (because that's what SRI is defined for right now). If so, should the tokens be named script-element rather than just script? e.g., what if a service worker is served with a CSP policy of require-sri-for? How will that work? |
|
I think it's substantially cleaner to reuse the terms from Fetch (https://fetch.spec.whatwg.org/#concept-request-destination) rather than inventing new subsets. Doing so ensures that you'll actually have the detail necessary to block requests. Note, for instance, that Fetch doesn't have any information that would allow it to distinguish The argument that SRI doesn't yet support |
|
But we ship this and then turn on support for importScripts or @import,
|
|
They'd break right away in the presence of this directive, since we'd be blocking the requests. They'd start working once we support those mechanisms. Sounds like a good reason to start widening our support. :) |
|
Aah ok. If require will from the start enforce sri requirement for fetches
Sri support isn't implemented/spec'ed for, then lgtm.
|
I thought that's the intention behind all this? That nobody can use scripts without using integrity (and thus requesting from a CORS-enabled server or a same-origin server). |
|
To answer the other question: |
Yes, but if SRI does not provide a way to verify integrity of a resource from CORS-disabled server, then that resource should not be subject to |
|
Again, that sounds to me like an argument that SRI should be extended to support resource types it doesn't yet support, not that the current model is a bad one. |
I strongly disagree. If there's no way to verify integrity, then there's no way that resource is safe to use. The keyword quite literally says require integrity ;) |
Ultimately, I agree with you, e.g. SRI should be able to verify the integrity of all |
|
Oh man. I totally missed @mikewest comment. I am ok with that and this PR seems to be ready to go then if there is no other objections! |
|
If we are going with "enforce this even for cases where you can't specify
|
|
@devd, added a note. |
|
thanks! this looks good. merging since everyone else ok'ed it. |
|
Would y'all mind publishing this document somewhere? It's tough to skim through sections when reviewing patches, as I end up needing to come back to this PR rather than reading a nicely formatted doc. :) |
|
done at https://w3c.github.io/webappsec-subresource-integrity/index.bikeshed.html Since v1 is in the final stages of becoming a rec, I din't want to touch index.html. Once it is done, I will update index.html too. |
|
Just now saw this was merged. Thanks so much for the effort ❤️. |
|
FYI, I started a discussion on the mailing list. It is about APIs that do not know about integrity metadata (e.g. CSS Please read the thread and send your feedback! |
Background: w3c/webappsec-csp#85.