Open stitch opened 2 years ago
Seirdy
commented
1 year ago This should not be required for scripts if a CSP uses hashes for external scripts. As of CSP Level 3, a hash value can be used for external resources in script-src; support is still rolling out.
SRI should only be required when a CSP specifies sources or nonces instead of hashes (or if the CSP doesn't apply any restrictions at all).
thestinger
commented
1 year ago CSP hashes for external scripts require that you use SRI for them. It only whitelists the SRI hash and depends on SRI for the enforcement. That's why GrapheneOS is using SRI for our scripts and styles so that we can start using hashes for the scripts once Firefox and Safari add support for it. Unfortunately they're currently blocking using that in CSP since we can't think of a way to deploy it without breaking them or doing user agent sniffing.
This checks if integrity hashes are used on dynamic resources like script and link tags (not svg). The integrity is a hash of a resource that browser uses to check if the retrieved resource is the one expected. Tom has written a comprehensive scanner for this. This may be included in internet.nl code.
See presentation of Tom Stock here: https://www.youtube.com/watch?v=Nq0657t8odk