Feature #87420
closedEpic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate signatures for Stylesheet and JavaScript resources
0%
Description
In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:
Documentation:
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
For static files¶
Example
<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".
For ("unsafe") inline assignments¶
Example
Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c"> var inline = 1; </script>
Updated by Georg Ringer almost 5 years ago
- Has duplicate Feature #85939: Implement integrity-argument for link-tags in includeCSS added
Updated by Oliver Hader about 3 years ago
- Target version changed from Candidate for Major Version to 12 LTS
Updated by Benjamin Franzke almost 3 years ago
- Blocks Task #97068: Generate a random importmap nonce for CSP compliance added
Updated by Oliver Hader almost 2 years ago
- Blocks deleted (Task #97068: Generate a random importmap nonce for CSP compliance)
Updated by Oliver Hader over 1 year ago
- Has duplicate Task #100141: Add possibility to add resource hashes added
Updated by Oliver Hader over 1 year ago
- Has duplicate deleted (Feature #85939: Implement integrity-argument for link-tags in includeCSS)
Updated by Oliver Hader over 1 year ago
→ done with #100141 - but only in the scope of content-security-policy headers, not in general for the integrity
attribute, which has a different scope
Updated by Benni Mack over 1 year ago
- Target version changed from 12 LTS to Candidate for Major Version
Updated by Oliver Hader over 1 year ago
- Status changed from Accepted to Closed
Done in the scope of CSP.