I think I screwed up Chromium's layering of CSP on top of integrity metadata checks (https://github.com/w3c/webappsec-subresource-integrity/issues/44#issuecomment-566016981 …). :/ Perhaps this is a good time to follow through on adding `integrity` processing to inline script and style blocks?
Qq - is this related to hash/nonce checks for 3rd party scripts (particularly for tag managers)? And the nonce checks don’t work exactly right thus basically allowing all scripts and not blocking a nonce check fail? (Sorry if mixing up words, thx for your work on CsP)
-
-
No. At least, if that’s a bug it’s new to me. The bug here is that Chrome is sometimes enforcing integrity matches on inline script blocks (e.g. `<script integrity=…>alert(1);</script>`) when it’s not supposed to (because we never defined that SRI integration).
-
Ah thank you for clarifying what you meant by that - I figured there was some slightly more technical blocking and I think that’s the case. Not a ton of folks use nonce checks through tag managers like GTM so I just wanted to confirm there wasn’t an odd issue. Prob fine. Cheers~
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

ρᔕ𝐞ỮĎ𝔬Ňʸ๓Øᵘ丂 he/him/y’all