Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inline scripts, CSP, and SRI #10

Open
devd opened this issue Nov 29, 2017 · 2 comments
Open

Inline scripts, CSP, and SRI #10

devd opened this issue Nov 29, 2017 · 2 comments
Labels
enhancement

Comments

@devd
Copy link

devd commented Nov 29, 2017

If CSP whitelists a hash, an inline script with that hash or a remote script with that hash in its integrity attributes are both signed. If a CSP whitelists a public key, can we figure out a way to get it to work with inline scripts? Can we reuse the integrity attribute somehow? Or do we need a new attribute?
@mikewest
Copy link
Member

mikewest commented Oct 9, 2024

I'd continue punting on this for the moment. Let's work out how we do things in HTTP, and then determine how to apply that to HTML.

Guessing wildly, if we end up running with the model in #16, we'd add some attributes to a script block that allowed the expression of a signature over that block, and keep the key in the integrity attribute as today? Maybe? Later. :)

@yoavweiss
Copy link
Collaborator

I agree with the "later" sentiment. It'd be great to see actual deployment use cases before investing efforts in this direction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikewest @devd @yoavweiss