Revive require-sri-for for scripts #129
Conversation
|
Further work on this would require:
We'd also need tests for the above |
`require-sri-for` would enable documents to enforce SRI on all resources they load (of a certain type). This CL revives a previous attempt [1] at this that ended up being removed. It only adds the 'script' part of it, as this has a clear use case [2]. Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ Spec PR: w3c/webappsec-subresource-integrity#129 [1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260 [2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0 Change-Id: I66acc12b073174cb33cf594b714e803e24656d27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633 Reviewed-by: Antonio Sartori <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1419883}
`require-sri-for` would enable documents to enforce SRI on all resources they load (of a certain type). This CL revives a previous attempt [1] at this that ended up being removed. It only adds the 'script' part of it, as this has a clear use case [2]. Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ Spec PR: w3c/webappsec-subresource-integrity#129 [1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260 [2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0 Change-Id: I66acc12b073174cb33cf594b714e803e24656d27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633 Reviewed-by: Antonio Sartori <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1419883}
`require-sri-for` would enable documents to enforce SRI on all resources they load (of a certain type). This CL revives a previous attempt [1] at this that ended up being removed. It only adds the 'script' part of it, as this has a clear use case [2]. Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ Spec PR: w3c/webappsec-subresource-integrity#129 [1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260 [2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0 Change-Id: I66acc12b073174cb33cf594b714e803e24656d27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633 Reviewed-by: Antonio Sartori <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1419883}
Done
The relevant Fetch parts mean that any string is considered a non-empty integrity metadata. |
done! |
index.bs
Outdated
| ### Parsing `require-sri-for` ### {#parse-require-sri-for} | ||
|
|
||
| Given a string (|token list|), this algorithm returns a list of resource | ||
| types which will require integrity checks: | ||
|
|
||
| 1. Let |protected resource types| be the empty <a for=/>set</a>. | ||
|
|
||
| 2. For each |token| in the result of <a lt="split a string on ascii whitespace"> | ||
| splitting |token list| on spaces</a>, if token matches the grammar | ||
| for <a>require-sri-for</a> and is a <a>ASCII case-insensitive match</a> | ||
| for any of the <a>known token</a>s, add |token| to |protected resource types|. | ||
| Otherwise, ignore the token. | ||
|
|
||
| 3. Return the set of |protected resource types|. | ||
|
|
There was a problem hiding this comment.
How likely is it that we expand the list of known tokens? Otherwise a simple string-equals match would suffice.
There was a problem hiding this comment.
Previously the list also included "style". As I don't have a clear use case for it, I didn't add it here.
We could drop this to be a simple equality check now, and expand to a list if/when the time comes.
There was a problem hiding this comment.
What should the behavior be in user agents which don't understand the new type?
This suggestion would make them not enforce anything at all, which seems suboptimal?
There was a problem hiding this comment.
I think this is the way CSP directives are currently defined, and that enabled us to expand them over time.
Not enforcing anything on unknown types would enable us to expand the list overtime if needed. What's the alternative you see?
|
With my editor hat on, I think this passes review. |
Automatic update from web-platform-tests require-sri-for: 'script' `require-sri-for` would enable documents to enforce SRI on all resources they load (of a certain type). This CL revives a previous attempt [1] at this that ended up being removed. It only adds the 'script' part of it, as this has a clear use case [2]. Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ Spec PR: w3c/webappsec-subresource-integrity#129 [1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260 [2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0 Change-Id: I66acc12b073174cb33cf594b714e803e24656d27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633 Reviewed-by: Antonio Sartori <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1419883} -- wpt-commits: 5f473f1dcc4b545448d84c380b4a6715db612fd1 wpt-pr: 50681
Automatic update from web-platform-tests require-sri-for: 'script' `require-sri-for` would enable documents to enforce SRI on all resources they load (of a certain type). This CL revives a previous attempt [1] at this that ended up being removed. It only adds the 'script' part of it, as this has a clear use case [2]. Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ Spec PR: w3c/webappsec-subresource-integrity#129 [1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260 [2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0 Change-Id: I66acc12b073174cb33cf594b714e803e24656d27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633 Reviewed-by: Antonio Sartori <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1419883} -- wpt-commits: 5f473f1dcc4b545448d84c380b4a6715db612fd1 wpt-pr: 50681
|
On the process question @mozfreddyb raised above: We discussed this in the WebAppSec WG yesterday (minutes at https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-02-19-minutes.md#reviving-require-sri-for). Generally, folks on the call (and folks I've talked to elsewhere) are on board with this functionality. I'd like to wait to land this in the spec until we've kicked off the adoption process for this work; it's quite clearly covered by our current charter, but I'd like to formally get the ball rolling on an SRI Level 2 we can continually update under the new(ish) W3C publication process. Once that's in place, adding this as a feature to that new workstream should be straightforward. @simoneonofri is going to send out an email to the list to that effect based on yesterday's conversation, and if all goes well, I think we can get this in by March. Does that work for you, @mozfreddyb and @yoavweiss? |
Yeah, thank you! :) |
|
Yes, but specifically, once we move to a Living Standard I would like us to ensure that we have more than 1 implementation interested and with a positive standards position before merging any changes here and elsewhere |
|
@mozfreddyb: I suspect we'd generally want to end up with something like https://whatwg.org/working-mode, which sets different bars for different kinds of changes. That said, you're editing this spec, and I think that gives you a reasonable amount of freedom to interpret when something is supported-enough to land. |
Automatic update from web-platform-tests require-sri-for: 'script' `require-sri-for` would enable documents to enforce SRI on all resources they load (of a certain type). This CL revives a previous attempt [1] at this that ended up being removed. It only adds the 'script' part of it, as this has a clear use case [2]. Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ Spec PR: w3c/webappsec-subresource-integrity#129 [1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260 [2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0 Change-Id: I66acc12b073174cb33cf594b714e803e24656d27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633 Reviewed-by: Antonio Sartori <[email protected]> Commit-Queue: Yoav Weiss (@Shopify) <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1419883} -- wpt-commits: 5f473f1dcc4b545448d84c380b4a6715db612fd1 wpt-pr: 50681
|
Was it ever considered to make this part of cc @sysrqb |
|
Given the WAICT proposal and the discussion at WebAppSec last week, I'm renaming the directive to @annevk - On that call @mozfreddyb mentioned that we've already had the "directive vs. keyword" discussion in the past, and directive won. @mozfreddyb - can you post links to past discussions? |
|
I went through original posts a couple weeks ago. The first draft of SRI actually had an integrity policy header, but we removed that from the spec as no implementation was interested. Once GitHub had deployed SRI, they noticed that it's rather easy to forget so they called for a SRI source-expression (see (1) below), but we decided that go for a directive. Brad Hill also suggested factoring it out of CSP due to the increasing complexity within CSP, which imho has continuously grown since then. Reporting is already its own thing, which IMO was a good choice. |
|
Revisiting this after a good night of sleep, I am even more of the opinion that we're going to be able to avoid a lot of cruft and complexity by moving this to its own header. |
Jetleggly jealous :)
Do you have a spelling in mind? If not, I suggest we go with For this specifically, one would emit: If in the future we'd add e.g. Does this work for y'all? |
|
If the CSP syntax is not universally hated (???), I would keep the same syntax, namely
|
|
e.g. |
|
Friendly remark: why not staying close to the original ask: Content-Security-Policy: require-sri-for 'TYPE' where TYPE can be, e.g., 'script' 'style' and perhaps - if there are use cases for these - 'script-src' 'script-src-elem' 'style-src' 'style-src-elem' |
I forgot, but we'd also need the |
That would mean yet another custom parser in the browser, that's kinda like CSP, but slightly different (as I believe we wanted the multiple header reconciliation to be different here, right?) If we're keeping the same syntax, what are the benefits of splitting this to a separate header? |
|
@rvaneijk Looks like some web pages out there area still using the header without it enforcing something. These would break. Secondly, we already know that the original |
Right. @annevk reminded me that we'd want to use a structured header. I almost forgot they existed. |
|
a) I have basically no opinion on spelling. Happy for this to be whatever makes sense to y'all. b) If this is a distinct header, I strongly object to reusing CSP's syntax. Structured Fields exist, please use them to normalize parsing. Please do not repeat my mistakes! |
|
Most of the headers of this kind have |
|
I don't have opinions about the naming or structure; but as far as fields go, what we are currently thinking about is the following directives and their potential values. I don't see any problem with fitting these into Structured Headers. Headers:
Integrity Request Destinations:
Enforcement Type:
Integrity Source:
If it's manifest, then we need the manifest URL |
|
@mozfreddyb and I just chatted through this, and made some good progress on an actual syntax proposal. We're proposing an Given the dimensions @tomrittervg mentioned above, the dictionary keys would be The tokens in the inner lists would be the relevant request destinations for the enforcement modes, and That means that a header would look something like: Integrity-Policy: strict=(script style), report=(image), user=(document), source=(manifest inline), endpoints=(https://example.com/report https://megacorp.com/report)Initially, I'm planning to only specify and implement the In terms of future compat, if the Other unknown keys would be ignored. |
|
Wasn't it really useful to have a separate -RO header for CSP? So sites could deploy one CSP and test a more restrictive one at the same time? It seems like we would want that same capability, no? |
|
Yeah, we decided to keep the |
|
The reason we thought we could avoid RO here is that we can have separate "report" destinations vs. "strict" destinations. If there's a preference to keep RO around, we could also go with something like: Integrity-Policy: destinations=(script style), enforcement=(block, warn), source=(manifest inline)
Integrity-Policy-Report-Only: destinations=(image), source=(manifest inline), endpoints=(https://example.com/report https://megacorp.com/report) |
|
If we have different enforcement levels already (strict vs. lax), then it would make sense to split on the enforcement level as their own dictionary and put them on the same axis as reporting? You could still roll out a strict policy for testing in parallel to a weaker one that is known not to break the site like so: |
I... don't really like that design/syntax, I feel like the RO header is easier to understand (and allows having a different reporting URL than the enforcement one, right? I would have thought that would be really valuable but maybe not). BUT this is a personal opinion and is not a blocker to moving forward if that's what you, Freddy, and others prefer. |
I'm not sure what you mean here. Can you share examples?
Yeah, the two header design does enable us to have separate endpoints for enforcement vs. report-only. I'm not sure what's the use case for that, but it does give us this flexibility. |
My quoting the entire context instead of the first line probably made it more confusing. IIUC the following are equivalent:
and
I guess the difference isn't that bad in practice. Although the advantages of a separate -RO header are (I think):
If the headers are very similar though, it's definitely a ton of duplicated bytes (source, manifest-url, endpoints). |
All new headers use SFV so this isn't unique and insufficient justification in my opinion. |
|
Originally, I just found it odd that we have an axis of violation-strictness (report, lax, strict) and split that axis into the lax/strict header value and a completely separate header. Looking at the pros & cons listed by @tomrittervg and the fact that Report-Only headers are a thing, I'm happy to give in and follow group consensus around us establishing two headers. :) |
|
Closed in favor of #133 |
This ~reverts https://github.com/w3c/webappsec-subresource-integrity/pull/82/files, which reverted
require-sri-for.It only includes the
scripttoken, as it has a clear use case.I believe the reasons for removing
require-sri-forare losing ground:Integrity checks for workers are still missing, but there's work underway to enable importmaps in workers which will give us that, at least for some assets.
require-sri-forCSP directiveSubresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.
The
require-sri-forCSP directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report.Example usage
A developer that wants to validate that all of their script resources have integrity checks will be able to add a CSP header similar to:
Content-Security-Policy: require-sri-for 'script'(Or the equivalent
<meta>tag)From that point, any external script that is fetched without a valid
integrityattribute (that is, one that translates into non-empty integrity metadata) or with a "no-cors" request mode, will not be loaded.It will also trigger a "securitypolicyviolation" event, as well as a CSP report.
Preview | Diff