Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 618924 CSP: Experiment with 'require-sri-for'
Starred by 2 users Reported by shek...@gmail.com, Jun 10 2016 Back to list
Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36

Steps to reproduce the problem:
No way for me to open issue to track CSP feature implementation, sorry for using this template.

What is the expected behavior?

What went wrong?
As described at https://github.com/w3c/webappsec-subresource-integrity/pull/32

Did this work before? N/A 

Chrome version: 51.0.2704.79  Channel: n/a
OS Version: OS X 10.11.5
Flash Version: Shockwave Flash 21.0 r0
 
Cc: jww@chromium.org
Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Status: Available
jww- Is there an appropriate component for this request? Or should it live in github?
Comment 2 by jww@chromium.org, Jun 10 2016
Cc: mkwst@chromium.org
Labels: -OS-Mac OS-All
Blink->SecurityFeature is perfect. I've CC'd Mike as well.
Project Member Comment 3 by bugdroid1@chromium.org, Jul 14 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/615df311feca979548acd4f73ce3d7ac34449e3a

commit 615df311feca979548acd4f73ce3d7ac34449e3a
Author: shekyan <shekyan@gmail.com>
Date: Thu Jul 14 19:10:31 2016

Implement the `require-sri-for` CSP directive

As defined in [1], this CSP directive allows developers to block resource
requests that do not contain integrity metadata. This includes contexts
like external scripts, workers, shared workers, service workers, external
stylesheets, preload requests, and requests originated by CSS @import.

[1]: https://w3c.github.io/webappsec-subresource-integrity/#opt-in-require-sri-for

Intent to implement: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/jyCdW1dHyYA/YefRSKs1AQAJ

BUG=618924
R=mkwst@chromium.org

Review-Url: https://codereview.chromium.org/2056183002
Cr-Commit-Position: refs/heads/master@{#405530}

[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/not-ran.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/ran.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-allowed-meta.html
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-blocked-meta.html
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-preload-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-preload-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-reportonly-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-reportonly-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-serviceworker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-sharedworker-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-sharedworker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-import-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-preload-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-preload-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-reportonly-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-reportonly-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-svg-script-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-fromblob-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-fromblob-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/sri-sharedworker.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/sri-worker.js
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/fetch/FetchRequest.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/AbstractWorker.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/AbstractWorker.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/SharedWorker.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp

Sign in to add a comment