Twitter | Pretraživanje | |
Mike West
I think I screwed up Chromium's layering of CSP on top of integrity metadata checks (). :/ Perhaps this is a good time to follow through on adding `integrity` processing to inline script and style blocks?
Per F2F discussion , consider extending this specification to support integrity metadata on inline scripts(/styles?). This also implies that require-sri-for will enforce integrity metadata on both ...
GitHub GitHub @github
Reply Retweet Označi sa "sviđa mi se" More
Dominic Farolino 16. pro
Odgovor korisniku/ci @mikewest
cc me on the crbug plz
Reply Retweet Označi sa "sviđa mi se"
Mike West 16. pro
Odgovor korisniku/ci @domfarolino
No bug yet. If folks are generally happy with , I'd file one bug. If not, I'd file a different bug. :)
Reply Retweet Označi sa "sviđa mi se"
ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 16. pro
Odgovor korisniku/ci @mikewest
Qq - is this related to hash/nonce checks for 3rd party scripts (particularly for tag managers)? And the nonce checks don’t work exactly right thus basically allowing all scripts and not blocking a nonce check fail? (Sorry if mixing up words, thx for your work on CsP)
Reply Retweet Označi sa "sviđa mi se"
Mike West 16. pro
Odgovor korisniku/ci @thezedwards
No. At least, if that’s a bug it’s new to me. The bug here is that Chrome is sometimes enforcing integrity matches on inline script blocks (e.g. `<script integrity=…>alert(1);</script>`) when it’s not supposed to (because we never defined that SRI integration).
Reply Retweet Označi sa "sviđa mi se"
Tobie Langel 16. pro
Odgovor korisniku/ci @mikewest
*hugs*
Reply Retweet Označi sa "sviđa mi se"