Design Review #1048

#1048: `Integrity-Policy` header for scripts

Opened Feb 6, 2025

こんにちは TAG-さん!

I'm requesting a TAG review of the Integrity-Policy header for scripts.

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI.

The Integrity-Policy header gives developers the ability to assert that every resource of a given type needs to be integrity-checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a violation report.

[Explainer](https://github.com/w3c/webappsec-subresource-integrity/pull/133#:~:text=in%20the%20future.-,Integrity%2DPolicy%20header,-Subresource%2DIntegrity%20(SRI)
Specification
WPT Tests
User research: N/A
Security and Privacy self-review
GitHub repo
Primary contacts:
- Yoav Weiss (@yoavweiss), Shopify, implementer
Organization/project driving the specification: Shopify
Multi-stakeholder support³:
- Chromium comments
- Mozilla comments: https://github.com/mozilla/standards-positions/issues/1173
- WebKit comments: https://github.com/WebKit/standards-positions/issues/458
- (Ancient) developer signal
Status/issue trackers for implementations⁴:

Further details:

I have reviewed the TAG's Web Platform Design Principles
Previous early design review, if any: N/A
Relevant time constraints or deadlines: I'd like to ship this soon
The group where the work on this specification is currently being done: WebAppSec
The group where standardization of this work is intended to be done (if different from the current group):
Major unresolved issues with or opposition to this specification:
This work is being funded by: Shopify

Discussions

Discussed Apr 14, 2025 (See Github)

Hadley: Feel like Jeffrey and Martin may have opinions about this … probably needs lots of reviews Xiaocheng: Think it's mostly about security

Discussed Apr 21, 2025 (See Github)

Need to wait for Yoav to reply to the github issue or blink-dev thread.

Comment by @jyasskin Apr 21, 2025 (See Github)

Hi @yoavweiss. It looks like require-sri-for has been replaced by Integrity-Policy (https://github.com/w3c/webappsec-subresource-integrity/pull/133) Is there an explainer for the new thing to help us figure out what to review? (Thanks to the blink-dev thread for tipping me off. :)

Comment by @yoavweiss Apr 23, 2025 (See Github)

Thanks for the ping!

Relevant PR, including an explainer in its description. WPT Tests

Should I change this review's description to include all the right details?

Comment by @yoavweiss Apr 23, 2025 (See Github)

Should I change this review's description to include all the right details?

I'll just go ahead and do that :)

Discussed May 12, 2025 (See Github)

Jeffrey: Haven't done any real work here. This doesn't do what you want for signature-based SRI, where you want to attach some public keys to the overall document.

Martin: But I don't think that needs to be included in the first iteration.

Jeffrey: We should actually review and come back next week.

Discussed May 19, 2025 (See Github)

Martin: I think this is roughly fine. Would like a second opinion. Didn't look thoroughly, but it doesn't warrant one. Coming out of a good WG.

Jeffrey: Also my sense.

Martin: Aside from the general "Does this have to be this complicated?"

Jeffrey: satisfied with a general "happy this is going through the right WGs". Will draft that and run it by the Slack channel.