Open rugk opened 6 years ago
tasn
commented
6 years ago I think it's still a draft, but I don't know. Is require-sri even allowed in meta tags? I don't think so. I think it can only be included in HTTP headers.
Even if allowed, I don't think it should forced to be in meta, but I think having it checked / detected by the extension, so sites with insecure (no sri) inclusions would warn with a different icon or an warning message.
rugk
commented
6 years ago but I think having it checked / detected by the extension
Yeah, that should definitively be done. However, if it is easier, you could also just check the CSP header. That may likely be easier (and, as such, more resistant against potential errors/bypasses). Of course, you could provide a fallback version, if CSP is not used on the site.
tasn
commented
6 years ago Forcing CSP is problematic because not everyone can control these headers. Consider for example anyone hosting on github pages. They can't control the headers, but they can control the HTML and can make sure it has SRI.
rugk
commented
6 years ago Yeah, good point, I just say you can use CSP first, and fallback to "manual" validation that SRI is used for each element if it is not present. Such a thing may also be good for performance reasons, as users are likely better to verify require-sri than some browser add-on.
I already mentioned this in another issue, but here again.
You can use "require-sri" in the CSP to instruct recent browser to load stuff only with sri. (Or was it still a draft??)
You should suggest this to software devs using this add-on. That should include it as a meta-tag in the source, so it is covered by the signature (in contrast to http headers).