Contact emailsyoavwe...@chromium.org Explainerhttps://github.com/w3c/webappsec-subresource-integrity/pull/133
Specificationhttps://github.com/w3c/webappsec-subresource-integrity/pull/133 Summary Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI. The Integrity-Policy header gives developers the ability to assert that every resource of a given type needs to be integrity-checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a violation report. Blink componentBlink>SecurityFeature>Subresource Integrity <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ESubresource%20Integrity%22> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/1048 TAG review statusPending Risks Interoperability and Compatibility None. This is a new header, so it has no compatibility concerns. In terms of interoperability, despite the lack of official position, this was co-designed with Mozilla folks, and they are planning <https://github.com/w3c/webappsec-subresource-integrity/pull/133#discussion_r2046860967> to follow suite AFAIK. *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/1173) The syntax was collaboratively worked on with Mozilla folks and was adapted to be future-compatible with their plans on that front. At the same time, no official signal just yet. *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/458) "reasonable problem to solve" but no official signal yet. *Web developers*: Positive - Shopify is highly interested in this. I suspect other developers who have to deal with PCI compliance would as well. (there's also an ancient signal from Github <https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html>) *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Flag name on about://flagsNone Finch feature nameIntegrityPolicyScripts Rollout planWill ship enabled for all users Requires code in //chrome?False Estimated milestones Shipping on desktop 137 Shipping on Android 137 Shipping on WebView 137I'm aware 137 is... ambitious, given the code hasn't landed yet. But I'm trying to reduce the delay the API shape change incurred. Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5178394056327168?gate=5167118408220672 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKm8K3oVnNLyLcKJuBGWs6C0kpGY%2Bu6WioOjc-%2BY2-p6Q%40mail.gmail.com.
