require-sri-for CSP directive

[yoavweiss]

Request for Mozilla Position on an Emerging Web Specification

• Specification title: require-sri-for CSP directive
• Specification or proposal URL (if available): Revive require-sri-for for scripts w3c/webappsec-subresource-integrity#129
• Explainer URL (if available): https://github.com/WICG/navigation-api/blob/main/README.md#deferred-commit
• Proposal author(s) (@-mention GitHub accounts): @yoavweiss
• Caniuse.com URL (optional):
• Bugzilla URL (optional):
• Mozillians who can provide input (optional): @zcorpan
• WebKit standards-position: require-sri-for CSP directive WebKit/standards-positions#458

Other information

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.

The require-sri-for CSP directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report.

This revives an old effort to introduce the same directive.

[zcorpan]

cc @mozfreddyb

[mozfreddyb]

And forwarding to @beurdouche and @tomrittervg 😉

[tomrittervg]

We have been thinking about and discussing this, we'd like to talk more on the upcoming call. :)