Conversation
|
@mozfreddyb - this is still missing the reporting parts, but I'd appreciate your feedback on the overall direction. |
mozfreddyb
left a comment
There was a problem hiding this comment.
Great start, thanks for kicking this off.
|
I have yet to look at the reporting bits, but looks good otherwise. @annevk: Can you review the integration bits (HTML & fetch) or defer to someone who can? |
|
Points raised at WebAppSec:
|
|
Another thought: An event here is redundant with a ReportingObserver. There's no reason to copy those over from CSP. @mozfreddyb - do you agree? |
|
Neither Firefox nor Webkit ship the Reporting API (or Reporting Observer). We should get clarity on whether there are plans to do so eventually or if this ends up being a hindrance. I'm going to ask around for Firefox. |
Seems like it's implemented (but not shipped) in Firefox. Maybe y'all should just ship it? :) Removed the event as it seemed spurious to what Reporting already does. |
Done |
I'm not sure what to do about this one - if that syntax works, maybe we should add a processing step such that any parameter that's not "block" would cause the value to get dropped? Also, if we're going with this, do we need an "enforcement" key? @camillelamy @mozfreddyb - I'd love your opinions |
Freddy is out and I know you're trying to keep momentum; I was not at the meeting but I looking at our original notes, we did have a separate list of destinations for different enforcement levels, so I think this is still desirable. Maybe instead of Then in the future we could add a |
Yeah, that would work for me. (maybe calling it |
|
Having |
| 1. If |headers| <a for="header list">contains</a> a <a>header</a> | ||
| whose <a>byte-lowercased</a> <a>header name</a>'s <a>isomorphic decode</a> | ||
| is "`integrity-policy`", |
There was a problem hiding this comment.
No. https://fetch.spec.whatwg.org/#header-list-contains already does the case-insensitive match. You just have to write it as `Integrity-Policy` (bit annoying with backslashes if you want to stay full Markdown). This will have to be redone.
There was a problem hiding this comment.
Landed on "If |headers| contains ``integrity-policy``". Does that work?
|
|
||
| A <dfn>source</dfn> is a string. The only possible value for it is "`inline`". | ||
|
|
||
| A <dfn>destination</dfn> is a string. The only possible value for it is "`script`". |
There was a problem hiding this comment.
A way to satisfy mt and I would be to define the actual type in Fetch. A middle ground might be a note. But this seems okay.
There was a problem hiding this comment.
I can do that as part of the Fetch integration as a followup
Automatic update from web-platform-tests Integrity-Policy for script destinations This adds support for Integrity-Policy instead of `require-sri-for`, based on [1]. [1] w3c/webappsec-subresource-integrity#133 I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q304_OkDAZA/m/b3Bnyab9DgAJ Change-Id: I9599280eb94045951351368d2531d25c32c15681 Bug: 412588111 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Cr-Commit-Position: refs/heads/main@{#1456383} -- wpt-commits: 58c8754f2d64eda3c04c7afecca2be6799484f5b wpt-pr: 52360 Differential Revision: https://phabricator.services.mozilla.com/D249270
Automatic update from web-platform-tests Integrity-Policy for script destinations This adds support for Integrity-Policy instead of `require-sri-for`, based on [1]. [1] w3c/webappsec-subresource-integrity#133 I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q304_OkDAZA/m/b3Bnyab9DgAJ Change-Id: I9599280eb94045951351368d2531d25c32c15681 Bug: 412588111 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Cr-Commit-Position: refs/heads/main@{#1456383} -- wpt-commits: 58c8754f2d64eda3c04c7afecca2be6799484f5b wpt-pr: 52360 Differential Revision: https://phabricator.services.mozilla.com/D249270
Automatic update from web-platform-tests Integrity-Policy for script destinations This adds support for Integrity-Policy instead of `require-sri-for`, based on [1]. [1] w3c/webappsec-subresource-integrity#133 I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q304_OkDAZA/m/b3Bnyab9DgAJ Change-Id: I9599280eb94045951351368d2531d25c32c15681 Bug: 412588111 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Reviewed-by: Camille Lamy <clamychromium.org> Commit-Queue: Yoav Weiss (Shopify) <yoavweisschromium.org> Reviewed-by: Antonio Sartori <antoniosartorichromium.org> Reviewed-by: Adam Rice <riceachromium.org> Cr-Commit-Position: refs/heads/main{#1456383} -- wpt-commits: 58c8754f2d64eda3c04c7afecca2be6799484f5b wpt-pr: 52360 Differential Revision: https://phabricator.services.mozilla.com/D249270 UltraBlame original commit: b2f20b0522428084cd0d1f68900d6843d2fb1b22
Automatic update from web-platform-tests Integrity-Policy for script destinations This adds support for Integrity-Policy instead of `require-sri-for`, based on [1]. [1] w3c/webappsec-subresource-integrity#133 I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q304_OkDAZA/m/b3Bnyab9DgAJ Change-Id: I9599280eb94045951351368d2531d25c32c15681 Bug: 412588111 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Reviewed-by: Camille Lamy <clamychromium.org> Commit-Queue: Yoav Weiss (Shopify) <yoavweisschromium.org> Reviewed-by: Antonio Sartori <antoniosartorichromium.org> Reviewed-by: Adam Rice <riceachromium.org> Cr-Commit-Position: refs/heads/main{#1456383} -- wpt-commits: 58c8754f2d64eda3c04c7afecca2be6799484f5b wpt-pr: 52360 Differential Revision: https://phabricator.services.mozilla.com/D249270 UltraBlame original commit: b2f20b0522428084cd0d1f68900d6843d2fb1b22
Automatic update from web-platform-tests Integrity-Policy for script destinations This adds support for Integrity-Policy instead of `require-sri-for`, based on [1]. [1] w3c/webappsec-subresource-integrity#133 I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q304_OkDAZA/m/b3Bnyab9DgAJ Change-Id: I9599280eb94045951351368d2531d25c32c15681 Bug: 412588111 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Reviewed-by: Camille Lamy <clamychromium.org> Commit-Queue: Yoav Weiss (Shopify) <yoavweisschromium.org> Reviewed-by: Antonio Sartori <antoniosartorichromium.org> Reviewed-by: Adam Rice <riceachromium.org> Cr-Commit-Position: refs/heads/main{#1456383} -- wpt-commits: 58c8754f2d64eda3c04c7afecca2be6799484f5b wpt-pr: 52360 Differential Revision: https://phabricator.services.mozilla.com/D249270 UltraBlame original commit: b2f20b0522428084cd0d1f68900d6843d2fb1b22
SHA: a7db551 Reason: push, by mozfreddyb Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
Can we get an example of this new header documented in https://w3c.github.io/webappsec-subresource-integrity/#integrity-policy-section? The only example I was able to find was at the top of this PR. |
See w3c/webappsec-subresource-integrity#133 for context.
See w3c/webappsec-subresource-integrity#133 for context.
As discussed, this is replacing #129
It is defining two new headers:
Integrity-PolicyandIntegrity-Policy-Report-Onlythat would enable developers to enforce integrity on scripts (in the immediate) and on more request destinations in the future.Integrity-PolicyheaderSubresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.
The
Integrity-Policyheader gives developers the ability to assert that every resource of a given type needs to be integrity-checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a violation report.The
Integrity-Policyheader is a structured field Dictionary, where every member value is an inner list of tokens.Possible keys are:
blocked-destinationsExample usage
A developer that wants to validate that all of their script resources have integrity checks will be able to add a header similar to:
Integrity-Policy: blocked-destinations=(script), endpoints=(integrity-endpoint)From that point, any external script that is fetched without a valid
integrityattribute (that is, one that translates into non-empty integrity metadata) or with a "no-cors" request mode, will not be loaded.It will also trigger a violation report.
The header also has a
sourceskey. It's only possible value (as well as its default value) is "inline". It's presence would enable future-compatible additions of other integrity sources, such as headers.Preview | Diff