weizman
commented
2 weeks ago Scenario:
- Headers:
Content-Security-Policy: realm-init: /ric.js - ric.js:
document.write("<script src="code.js"></script>")
Just to clarify - do you mean ric.js should obey SRI, or should only scripts it brings and executes (such as code.js) obey SRI?
Assuming that a website is adding SRI to all its JS files to make sure only the right JS runs, RIC should not be able to circumvent that and suddenly add another script.
(I considered merging this into #16 but decided it deserves its own issue.)