Encourage subresource integrity for distributors and web devs

[DavidBruant]

https://w3c.github.io/webappsec-subresource-integrity/

The whole User-Agent situation makes things harder, but it's possible for the polyfill author to provide a per-User-Agent integrity value to be inserted dynamically in the HTML based on the User-Agent asking for it.

[triblondon]

This could be a valid issue for polyfill.io, but I don't think this would be something to address in the finding.

[JakeChampion]

Subresource integrity is useful for any files loaded over a CDN, I'm not sure if it needs to be mentioned in this document explicitly.

[DavidBruant]

Subresource integrity is useful for any files loaded over a CDN, I'm not sure if it needs to be mentioned in this document explicitly.

From experience, it never hurts to be explicit. It could hurt if it went against readability, but I think that my initial comment covers more or else everything there is to say.

[dbaron]

SRI does conflict with the idea that distributors should auto-update polyfills, though. So if we want to encourage SRI, we'd probably need to not encourage auto-update.

[triblondon]

The need to keep polyfills up to date is a principle, and SRI is a specific technology... I'm not sure the two are in conflict, though obviously it does present a problem if you are using distribution services like polyfill.io. I feel this is out of scope, but let's take it to the F2F.

[triblondon]

Picked up on TAG call.

Alex: Should advocate following security best practices, no need to itemise them, that'll rot very quickly.

Action on me to find appropriate resource for security best practice and reference it.

[triblondon]

Going to close this since TAG is approving the finding in its current form, but if you have a reference suggestion I can amend later.