Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

Makes sense! I'll send a new intent. On Mon, Apr 21, 2025 at 6:37 PM Mike Taylor wrote: > Given that this is described as "very different", I think a new I2S would > be helpful. Or if you decide that's too annoying, at the very least could > you write up a minimal explainer (inline is fine) that

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

Given that this is described as "very different", I think a new I2S would be helpful. Or if you decide that's too annoying, at the very least could you write up a minimal explainer (inline is fine) that describes the diff from require-sri-for, and create a new chromestatus entry? On 4/17/25 1

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

Hey folks! I now have a CL for Integrity-Policy (that also removes the require-sri-for implementation), and a PR is being reviewed. Should I send a new intent for

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

Thanks for reviewing!! In discussions with Mozilla folk, we eventually landed on a very different API shape , to enable them to expand the concept of "integrity policy", rather than doing this as a one-off CSP

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

LGTM3 On Tue, Mar 25, 2025 at 6:48 AM Mike Taylor wrote: > > On 3/24/25 10:24 PM, Domenic Denicola wrote: > > > > On Mon, Mar 24, 2025 at 4:37 PM Yoav Weiss (@Shopify) < > yoavwe...@chromium.org> wrote: > >> >> >> On Mon, Mar 24, 2025 at 6:45 AM Domenic Denicola >> wrote: >> >>> Great to hear!

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On 3/24/25 10:24 PM, Domenic Denicola wrote: On Mon, Mar 24, 2025 at 4:37 PM Yoav Weiss (@Shopify) wrote: On Mon, Mar 24, 2025 at 6:45 AM Domenic Denicola wrote: Great to hear! I see you've already updated the spec PR. My instinct is that we should give

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On Mon, Mar 24, 2025 at 4:37 PM Yoav Weiss (@Shopify) < yoavwe...@chromium.org> wrote: > > > On Mon, Mar 24, 2025 at 6:45 AM Domenic Denicola > wrote: > >> Great to hear! >> >> I see you've already updated the spec PR. My instinct is that we should >> give folks a week-ish to react to the new nam

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On Mon, Mar 24, 2025 at 6:45 AM Domenic Denicola wrote: > Great to hear! > > I see you've already updated the spec PR. My instinct is that we should > give folks a week-ish to react to the new name, finish the spec review, > etc. What do you think? > Normally I would think this makes perfect sen

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

Great to hear! I see you've already updated the spec PR. My instinct is that we should give folks a week-ish to react to the new name, finish the spec review, etc. What do you think? (Also, I can't quite understand what's blocking the spec PR from landing... I guess there's still some discussion

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

Following discussions at WebAppSec and the WAICT proposal, I'm renaming th

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

FWIW, I'm planning to discuss a syntax change at next week's WebAppSec meeting, that can help us avoid these compat issues. On Tue, Feb 25, 2025 at 7:54 PM Yoav Weiss (@Shopify) < yoavwe...@chromium.org> wrote: > > > On Tue, Fe

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On Tue, Feb 25, 2025 at 6:08 PM Mike Taylor wrote: > > On 2/24/25 4:24 PM, Yoav Weiss (@Shopify) wrote: > > > > On Mon, Feb 24, 2025 at 7:18 PM Mike Taylor > wrote: > >> On 2/21/25 8:33 AM, Yoav Weiss (@Shopify) wrote: >> >> >> On Thursday, February 20, 2025 at 1:56:59 PM UTC+1 Yoav Weiss wrote:

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On 2/24/25 4:24 PM, Yoav Weiss (@Shopify) wrote: On Mon, Feb 24, 2025 at 7:18 PM Mike Taylor wrote: On 2/21/25 8:33 AM, Yoav Weiss (@Shopify) wrote: On Thursday, February 20, 2025 at 1:56:59 PM UTC+1 Yoav Weiss wrote: On Thursday, February 20, 2025 at 11:47:00 AM UTC+1

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On Mon, Feb 24, 2025 at 7:18 PM Mike Taylor wrote: > On 2/21/25 8:33 AM, Yoav Weiss (@Shopify) wrote: > > > On Thursday, February 20, 2025 at 1:56:59 PM UTC+1 Yoav Weiss wrote: > > > On Thursday, February 20, 2025 at 11:47:00 AM UTC+1 Yoav Weiss wrote: > > Contact emailsyoavwe...@chromium.org > >

Re: [blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On 2/21/25 8:33 AM, Yoav Weiss (@Shopify) wrote: On Thursday, February 20, 2025 at 1:56:59 PM UTC+1 Yoav Weiss wrote: On Thursday, February 20, 2025 at 11:47:00 AM UTC+1 Yoav Weiss wrote: Contact emailsyoavwe...@chromium.org Explainerhttps://github.com/w3c/webappsec-sub

[blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On Thursday, February 20, 2025 at 1:56:59 PM UTC+1 Yoav Weiss wrote: On Thursday, February 20, 2025 at 11:47:00 AM UTC+1 Yoav Weiss wrote: Contact emailsyoavwe...@chromium.org Explainerhttps://github.com/w3c/webappsec-subresource-inte grity/pull/129#:~:text=for%20some%20assets.-,require%2Dsr

[blink-dev] Re: Intent to Ship: CSP require-sri-for for scripts

On Thursday, February 20, 2025 at 11:47:00 AM UTC+1 Yoav Weiss wrote: Contact emailsyoavwe...@chromium.org Explainerhttps://github.com/w3c/webappsec-subresource- integrity/pull/129#:~:text=for%20some%20assets.-,require% 2Dsri%2Dfor%20CSP%20directive,-Subresource%2DIntegrity%20 Specificationhtt