mozfreddyb
commented
4 months ago I think the same can be achieved with a CSP script-src directive, no?
Open tetsuyainfra opened 4 months ago
mozfreddyb
commented
4 months ago I think the same can be achieved with a CSP script-src directive, no?
Hello. I recently learned of the polyfill.io malware issue.
Currently, SRI is supported in all major browsers. Therefore, if the integrity attribute is specified correctly, it is possible to prevent the execution of malicious scripts on the client side.
I believe that this issue is cases where scripts for which the integrity attribute is not specified are later pollutioned.
If a server error could be returned when loading a script for which the integrity attribute is not specified, developers would have no choice but to specify the attribute in the HTML.
It would be ineffective if the server cannot be trusted from the start, but I think the specification can be added without much impact.
Related: https://lists.w3.org/Archives/Public/public-webappsec/2017Jun/0000.html