require-sri-for CSP directive

[yoavweiss]

こんにちは TAG-さん!

I'm requesting a TAG review of the require-sri-for CSP directive.

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.

The require-sri-for CSP directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report.

• Explainer
• Specification
• WPT Tests
• User research: N/A
• Security and Privacy self-review
• GitHub repo
• Primary contacts:
  • Yoav Weiss (@yoavweiss), Shopify, implementer
• Organization/project driving the specification: Shopify
• Multi-stakeholder support³:
  • Chromium comments
  • Mozilla comments: require-sri-for CSP directive mozilla/standards-positions#1173
  • WebKit comments: require-sri-for CSP directive WebKit/standards-positions#458
  • (Ancient) developer signal
• Status/issue trackers for implementations⁴:

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• Previous early design review, if any: N/A
• Relevant time constraints or deadlines: I'd like to ship this soon
• The group where the work on this specification is currently being done: WebAppSec
• The group where standardization of this work is intended to be done (if different from the current group):
• Major unresolved issues with or opposition to this specification:
• This work is being funded by: Shopify