CSP external hashes will be a huge win for orgs already using SRI. https://www.w3.org/TR/CSP3/#external-hash … make this happen!!!
If I understand Google's position correctly, this will require the script to use CORS, since it is a new feature. /cc @mikewest
-
-
: Also, Google's position != Mike's position. If I was the decider, we'd be shipping fewer things without CORS over HTTP.
@ndm -
You mention "over HTTP" in contrast to "over HTTPS"? I wonder if CSP should have a "make everything requires CORS" directive.
-
: WRT CORS, patches welcome, I suppose! Not sure whether that would help... what threats would it mitigate?
@ndm -
On its own maybe not much. It would facilitate adding a way for a subresource server to opt into CORS-only for its responses.
-
This may be preferable to extending frame-ancestors to <img> and <script>. Maybe even completely subsume frame-ancestors.
End of conversation
New conversation -
-
-
: SRI already requires CORS.
@ndm -
Good point! This and SRI and probably other things already intrinsically requiring CORS supports Google's position.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.