Currently, script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=' matches <script>alert('Hello, world.');</script>. It does not match alert('Hello, world.'); in a non-inlined script.
I'd suggest that we alter this behavior to allow matching external scripts which assert integrity metadata about the resource requested. That is, the above directive could match:
<script src="/hello.js"
integrity="qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng="
crossorigin="anonymous">
As discussed on the 20.4.2016 call, this could allow some interesting loader functionality in combination with 'unsafe-dynamic'.
(Note: Specifying this cleanly depends a bit on w3c/webappsec-subresource-integrity#31.)
michaelficarra, dconnolly, oreoshake, inkeliz and jasikpark
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4