Feature #87420

Updated by Oliver Hader 11 months ago

In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:

Documentation:

* https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

h2. For static files

Example

<pre>
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
</pre>

This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".

h2. For ("unsafe") inline assignments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Example

<pre>
Content-Security-Policy: script-src 'nonce-2726c7f26c'
</pre>

<pre>
<script nonce="2726c7f26c">
var inline = 1;
</script>
</pre>

Back