|
@mikewest | |||||
|
I think I screwed up Chromium's layering of CSP on top of integrity metadata checks (github.com/w3c/webappsec-…). :/
Perhaps this is a good time to follow through on adding `integrity` processing to inline script and style blocks?
|
||||||
|
||||||
|
Dominic Farolino
@domfarolino
|
16. pro |
|
cc me on the crbug plz
|
||
|
|
||
|
Mike West
@mikewest
|
16. pro |
|
No bug yet. If folks are generally happy with github.com/w3c/webappsec-…, I'd file one bug. If not, I'd file a different bug. :)
|
||
|
|
||
|
ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰
@thezedwards
|
16. pro |
|
Qq - is this related to hash/nonce checks for 3rd party scripts (particularly for tag managers)? And the nonce checks don’t work exactly right thus basically allowing all scripts and not blocking a nonce check fail? (Sorry if mixing up words, thx for your work on CsP)
|
||
|
|
||
|
Mike West
@mikewest
|
16. pro |
|
No. At least, if that’s a bug it’s new to me. The bug here is that Chrome is sometimes enforcing integrity matches on inline script blocks (e.g. `<script integrity=…>alert(1);</script>`) when it’s not supposed to (because we never defined that SRI integration).
|
||
|
|
||
|
Tobie Langel
@tobie
|
16. pro |
|
*hugs*
|
||
|
|
||