Contact emailsyoavwe...@chromium.org Explainer https://github.com/w3c/webappsec-subresource-integrity/pull/129#:~:text=for%20some%20assets.-,require%2Dsri%2Dfor%20CSP%20directive,-Subresource%2DIntegrity%20
Specificationhttps://github.com/w3c/webappsec-subresource-integrity/pull/129 The feature and PR were discussed <https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-02-19-minutes.md#reviving-require-sri-for> at the WebAppSec WG call. No objection beyond questions on whether we'd need to expand this to cover stylesheets as well. We'd be able to do that in the future (as a separate intent) if needed. Summary The `require-sri-for` directive gives developers the ability to assert that every resource of a given type needs to be integrity checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a CSP violation report. This intent covers the "script" value of this directive. Blink componentBlink>SecurityFeature>ContentSecurityPolicy <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/1048 TAG review statusPending - No response just yet Risks Interoperability and Compatibility On the compatibility front: This directive was already implemented in the past, and there are some developer docs <https://udn.realityripple.com/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for> that still describe it. The current PR and implementation did not diverge from the past implementation. If developers deployed the feature in the past and are now relying on it *not really working*, that may result in surprising breakage. The HTTPArchive shows *0.0011% of page responses* (178 out of 15760519) have an existing `require-sri-for` directive. That's an upper bound - only those that enforce scripts, and have no integrity attributes on some scripts may get broken. *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/1173) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/458) *Web developers*: Shopify is interested in this. I suspect PCIv4 <https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0> would make some developers interested in making sure their documents' scripts have complete integrity checks. *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes https://wpt.fyi/results/content-security-policy/tentative/require-sri-for?label=experimental&label=master&aligned <https://chromium-review.googlesource.com/c/chromium/src/+/5877633> Flag name on about://flagsNone Finch feature nameCSPRequireSRIFor Requires code in //chrome?False Estimated milestones Shipping on desktop 135 DevTrial on desktop 134 Shipping on Android 135 DevTrial on Android 134 Shipping on WebView 135 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5090023365672960?gate=5186570942152704 Links to previous Intent discussionsIntent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJUygAmobR9dRkDr%3DBWQ1h5hv2Lj3WUFN31QZF360A47A%40mail.gmail.com This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK1hVtFr%3DoVWwHCDAxhf3AqV9RjykZfDa-C-AJuBa9aUA%40mail.gmail.com.
