Feature #87420
Updated by Oliver Hader over 5 years ago
In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:
Documentation:
* https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
h2. For static files
Example
<pre>
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
</pre>
This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".
h2. For ("unsafe") inline assignments
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script
Example
<pre>
Content-Security-Policy: script-src 'nonce-2726c7f26c'
</pre>
<pre>
<script nonce="2726c7f26c">
var inline = 1;
</script>
</pre>