Add SRI (SubResource Integrity) hashes to html output for css/js

apache / incubator-pagespeed-mod

Apache module for rewriting web pages to reduce latency and bandwidth.

http://modpagespeed.com

Apache License 2.0

697 stars 159 forks source link

Add SRI (SubResource Integrity) hashes to html output for css/js #1687

Open skotfred opened 6 years ago

skotfred commented 6 years ago

As mod_pagespeed can combine various css and js files in addition to modification the generated output seen by the browsers, it would be advantageous to add SRI headers to make use of the SubResource Integrity security capabilities of some browsers.

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity https://www.w3.org/TR/SRI/

oschaaf commented 6 years ago

@morlovich Possibly this may interact with Content-Security-Policy, for example: Content-Security-Policy: require-sri-for style;.

I wonder how hard it would be for us to do this, intuitively I'd think we'd have most of the required ingredients already taken care of with the url signing capability -- though I'm not sure if the in-place resource flow is taken care of with that.

oschaaf commented 6 years ago

Started dumping some initial thoughts in a design-doc: https://github.com/apache/incubator-pagespeed-mod/wiki/Handling-Subresource-Integrity