diff --git a/index.bs b/index.bs index da776d4..c7c425d 100644 --- a/index.bs +++ b/index.bs @@ -28,9 +28,28 @@ spec: ABNF; urlPrefix: https://tools.ietf.org/html/rfc5234 type: dfn text: VCHAR; url: appendix-B.1 text: WSP; url: appendix-B.1 + text: OWS; url: appendix-B.1 type: grammar text: VCHAR; url: appendix-B.1 text: WSP; url: appendix-B.1 + text: OWS; url: appendix-B.1 + +spec: HTTP; urlPrefix: https://tools.ietf.org/html/rfc7230 + type: dfn + text: token; url: #section-3.2.6 + type: grammar + text: token; url: #section-3.2.6 + +spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/ + type: dfn + text: Content Security Policy; urlPrefix: # + text: policy; url: policy + text: directive; url: directives + text: value; for: directive; url: directive-value + text: pre-request check; url: directive-pre-request-check + text: create a violation object for global; url: create-violation-for-global + text: report violation; url: report-violation + text: disposition; for: policy spec: RFC7234; urlPrefix: https://tools.ietf.org/html/rfc7234 type: dfn @@ -203,8 +222,6 @@ spec:csp3; type:grammar; text:base64-value Content Security Policy defines the `base64-value` and `hash-algorithm` rules. [[!CSP]] - - # Framework # {#framework} @@ -322,7 +339,103 @@ spec:csp3; type:grammar; text:base64-value supported by this specification. - ## Response verification algorithms ## {#verification-algorithms} + ## Request verification algorithms ## {#request-verification-algorithms} + + ### Opting-in ### {#opt-in-require-sri-for} + + Authors may opt a {{Document}} to require SRI metadata be present for + some resource types via a require-sri-for Content + Security Policy directive defined by the following ABNF grammar: + + 
+      directive-name  = "require-sri-for"
+      directive-value = token *( OWS token )
+
+ + The following list contains the set of known tokens: + + * `script` requires SRI for scripts + + + ### Parsing `require-sri-for` ### {#parse-require-sri-for} + + Given a string (|token list|), this algorithm returns a list of resource + types which will require integrity checks: + + 1. Let |protected resource types| be the empty set. + + 2. For each |token| in the result of + splitting |token list| on spaces, if token matches the grammar + for require-sri-for and is a ASCII case-insensitive match + for any of the known tokens, add |token| to |protected resource types|. + Otherwise, ignore the token. + + 3. Return the set of |protected resource types|. + + ### Apply |algorithm| to |request| ### {#apply-algorithm-to-request} + + This directive’s pre-request check is as follows: + + Given a request (|request|) and a policy (policy): + + 1. If |request|'s url's scheme is local, + return "Allowed". + + 2. Let |protected resource types| be the result of executing + [[#parse-require-sri-for]] on this directive's value. + + 3. Let |protected| be a boolean, initially set to false. + + 4. For each |token| of |protected resource types|, + if |request|'s destination is an ASCII case-insensitive match for |token|, + set |protected| to true. + + Note: Matching tokens to the request's destination means that worker and worklets will not be covered by `require-sri-for script`, + and will not require integrity checks when it's defined. + Once we have a way to define integrity metadata for workers or worklets + (e.g. [HTML#10858](https://github.com/whatwg/html/pull/10858)), we would be able to add a separate token for them. + + + 5. If |protected| is false, + return "Allowed". + + 6. Let |parsedMetadata| be the result of parsing |request|'s + integrity metadata. + + 7. If |request|'s mode is not "no-cors" and + |parsedMetadata| is not the empty set, + return "Allowed". + + Note: This logic means that request with matched destination and missing + integrity metadata will be blocked even if it is not currently possible to set its + integrity metadata. + Such requests are originated by, for example, importScripts(), + or `script` elements without crossorigin content attribute. + + 8. Return "Blocked". + +
+ A page with the following Content Security Policy: + + 
+      Content-Security-Policy: require-sri-for script
+
+ + is equivalent to Content Security Policy delivered through `` + element: + + 
+      <meta http-equiv="Content-Security-Policy"
+            content="require-sri-for script">
+
+ + + and requires integrity metadata be present in `script` + elements that contain `src` attribute. +
+ + + ## Response verification algorithms ## {#response-verification-algorithms} ### Apply |algorithm| to |bytes| ### {#apply-algorithm-to-response} @@ -547,6 +660,17 @@ spec:csp3; type:grammar; text:base64-value to load the document. A successful load would confirm that the attacker has correctly guessed the username. + +
+

IANA Considerations

+ + The Content Security Policy Directive registry should be updated with the + following directives and references [[!RFC7762]]: + + : `require-sri-for` + :: This document (see [[#opt-in-require-sri-for]]) +
+ # Acknowledgements # {#acknowledgements}