Integrity Policy for scripts

Category: Security
Type: New or changed feature
Status: Proposed (Chrome Proposed)
Intent stage: None

Summary

Subresource-Integrity (SRI) enables developers to make sure the assets they intend to load are indeed the assets they are loading. But there's no current way for developers to be sure that all of their scripts are validated using SRI. The Integrity-Policy header gives developers the ability to assert that every resource of a given type needs to be integrity-checked. If a resource of that type is attempted to be loaded without integrity metadata, that attempt will fail and trigger a violation report.

Motivation

The ability to assert that all resources of a certain destination were loaded with guaranteed integrity can help developers be sure that no asset is bypassing such protections. That can help them be sure their PCIv4 compliance [1] remains intact. [1] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0

Standards & signals

Specification: https://github.com/w3c/webappsec-subresource-integrity/pull/133
Firefox: Positive — The syntax was collaboratively worked on with Mozilla folks and was adapted to be future-compatible with their plans on that front. At the same time, no official signal just yet.
Safari: Support — "reasonable problem to solve" but no official signal yet.
Web developers: Positive — Shopify is highly interested in this.

Explainers: https://github.com/w3c/webappsec-subresource-integrity/pull/133

View on chromestatus.com