LGTM2, assuming the spec lands before the feature ships. On Wed, Apr 23, 2025 at 4:07 AM Mike Taylor <miketa...@chromium.org> wrote:
> LGTM1 > On 4/23/25 5:12 AM, Yoav Weiss (@Shopify) wrote: > > Contact emails yoavwe...@chromium.org > > Explainer https://github.com/w3c/webappsec-subresource-integrity/pull/133 > > Specification > https://github.com/w3c/webappsec-subresource-integrity/pull/133 > > Summary > > Subresource-Integrity (SRI) enables developers to make sure the assets > they intend to load are indeed the assets they are loading. But there's no > current way for developers to be sure that all of their scripts are > validated using SRI. The Integrity-Policy header gives developers the > ability to assert that every resource of a given type needs to be > integrity-checked. If a resource of that type is attempted to be loaded > without integrity metadata, that attempt will fail and trigger a violation > report. > > > Blink component Blink>SecurityFeature>Subresource Integrity > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ESubresource%20Integrity%22> > > TAG review https://github.com/w3ctag/design-reviews/issues/1048 > > TAG review status Pending > > Risks > > > Interoperability and Compatibility > > None. This is a new header, so it has no compatibility concerns. In terms > of interoperability, despite the lack of official position, this was > co-designed with Mozilla folks, and they are planning > <https://github.com/w3c/webappsec-subresource-integrity/pull/133#discussion_r2046860967> > to follow suite AFAIK. > > > *Gecko*: No signal ( > https://github.com/mozilla/standards-positions/issues/1173) The syntax > was collaboratively worked on with Mozilla folks and was adapted to be > future-compatible with their plans on that front. At the same time, no > official signal just yet. > > *WebKit*: No signal ( > https://github.com/WebKit/standards-positions/issues/458) "reasonable > problem to solve" but no official signal yet. > > *Web developers*: Positive - Shopify is highly interested in this. I > suspect other developers who have to deal with PCI compliance would as > well. (there's also an ancient signal from Github > <https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html>) > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? Yes > > https://chromium-review.googlesource.com/c/chromium/src/+/6408111 > > > Flag name on about://flags None > > Finch feature name IntegrityPolicyScripts > > Rollout plan Will ship enabled for all users > > Requires code in //chrome? False > > Estimated milestones > Shipping on desktop 137 > Shipping on Android 137 > Shipping on WebView > > > 137 I'm aware 137 is... ambitious, given the code hasn't landed yet. But > I'm trying to reduce the delay the API shape change incurred. > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > None > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5178394056327168?gate=5167118408220672 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKm8K3oVnNLyLcKJuBGWs6C0kpGY%2Bu6WioOjc-%2BY2-p6Q%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKm8K3oVnNLyLcKJuBGWs6C0kpGY%2Bu6WioOjc-%2BY2-p6Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f38962f7-62bc-43aa-a13c-d014c2475afc%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f38962f7-62bc-43aa-a13c-d014c2475afc%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw986ksk-UOBA1GiRJp5M3e2FmB2VjBxUX5Fwgwc%3D9q%2BCw%40mail.gmail.com.
