Revive require-sri-for for scripts

index.bs

@@ -28,9 +28,28 @@ spec: ABNF; urlPrefix: https://tools.ietf.org/html/rfc5234
   type: dfn
     text: VCHAR; url: appendix-B.1
     text: WSP; url: appendix-B.1
+    text: OWS; url: appendix-B.1
   type: grammar
     text: VCHAR; url: appendix-B.1
     text: WSP; url: appendix-B.1
+    text: OWS; url: appendix-B.1
+
+spec: HTTP; urlPrefix: https://tools.ietf.org/html/rfc7230
+  type: dfn
+    text: token; url: #section-3.2.6
+  type: grammar
+    text: token; url: #section-3.2.6
+
+spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
+  type: dfn
+    text: Content Security Policy; urlPrefix: #
+    text: policy; url: policy
+    text: directive; url: directives
+    text: value; for: directive; url: directive-value
+    text: pre-request check; url: directive-pre-request-check
+    text: create a violation object for global; url: create-violation-for-global
+    text: report violation; url: report-violation
+    text: disposition; for: policy
 
 spec: RFC7234; urlPrefix: https://tools.ietf.org/html/rfc7234
   type: dfn
@@ -203,8 +222,6 @@ spec:csp3; type:grammar; text:base64-value
   Content Security Policy defines the <a grammar>`base64-value`</a> and
   <a grammar>`hash-algorithm`</a> rules. [[!CSP]]
 
-  </section>
-
   <!-- ####################################################################### -->
 
   # Framework # {#framework}
@@ -322,7 +339,103 @@ spec:csp3; type:grammar; text:base64-value
   supported by this specification.
 
 
-  ## Response verification algorithms ## {#verification-algorithms}
+  ## Request verification algorithms ## {#request-verification-algorithms}
+
+  ### Opting-in  ### {#opt-in-integrity-required}
+
+  Authors may opt a {{Document}} to require SRI metadata be present for 
+  some resource types via a <dfn export>integrity-required</dfn> <a>Content
+  Security Policy</a> directive defined by the following ABNF grammar:
+
+  <pre dfn-type="grammar" link-type="grammar">
+      directive-name  = "integrity-required"
+      directive-value = <a grammar>token</a> *( <a>OWS</a> <a>token</a> )
+  </pre>
+
+  The following list contains the set of <dfn noexport>known tokens</dfn>:
+
+    * `script` requires SRI for scripts
+
+
+  ### Parsing `integrity-required` ### {#parse-integrity-required}
+
+  Given a string (|token list|), this algorithm returns a list of resource
+  types which will require integrity checks:
+
+  1.  Let |protected resource types| be the empty <a for=/>set</a>.
+
+  2.  For each |token| in the result of <a lt="split a string on ascii whitespace">
+      splitting |token list| on spaces</a>, if token matches the grammar
+      for <a>integrity-required</a> and is a <a>ASCII case-insensitive match</a>
+      for any of the <a>known token</a>s, add |token| to |protected resource types|.
+      Otherwise, ignore the token.
+
+  3.  Return the set of |protected resource types|.
+
+  ### Apply |algorithm| to |request| ### {#apply-algorithm-to-request}
+
+  This directive’s <a>pre-request check</a> is as follows:
+
+  Given a <a for="/">request</a> (|request|) and a <a>policy</a> (<var ignore>policy</var>):
+
+  1.  If |request|'s <a for=request>url</a>'s <a for=url>scheme</a> <a>is local</a>,
+      return "Allowed".
+
+  2.  Let |protected resource types| be the result of executing
+      [[#parse-integrity-required]] on this <a>directive</a>'s <a for="directive">value</a>.
+
+  3.  Let |protected| be a <a>boolean</a>, initially set to false.
+
+  4.  <a for=set>For each</a> |token| of |protected resource types|, 
+      if |request|'s <a for=request>destination</a> is an <a>ASCII case-insensitive match</a> for |token|,
+      set |protected| to true.
+
+  Note: Matching tokens to the request's destination means that worker and worklets will not be covered by `integrity-required script`,
+        and will not require integrity checks when it's defined.
+        Once we have a way to define integrity metadata for workers or worklets
+        (e.g. [HTML#10858](https://github.com/whatwg/html/pull/10858)), we would be able to add a separate token for them.
+
+
+  5.  If |protected| is false,
+      return "Allowed".
+
+  6.  Let |parsedMetadata| be the result of <a href="#parse-metadata">parsing</a> |request|'s
+      <a>integrity metadata</a>.
+
+  7.  If |request|'s <a for=request>mode</a> is not "no-cors" and
+      |parsedMetadata| is not the empty <a for=/>set</a>,
+      return "Allowed".
+
+      Note: This logic means that request with matched <a for=request>destination</a> and missing
+      <a>integrity metadata</a> will be blocked even if it is not currently possible to set its
+      <a>integrity metadata</a>.
+      Such requests are originated by, for example, <code>importScripts()</code>,
+      or `script` elements without crossorigin content attribute.
+
+  8.  Return "Blocked".
+
+  <div class="example">
+    A page with the following Content Security Policy:
+
+    <pre>
+      Content-Security-Policy: <a>integrity-required</a> script
+    </pre>
+
+    is equivalent to Content Security Policy delivered through `<meta>`
+    element:
+
+    <pre>
+      &lt;meta http-equiv="Content-Security-Policy"
+            content="<a>integrity-required</a> script"&gt;
+    </pre>
+
+
+    and requires <a>integrity metadata</a> be present in `script`
+    elements that contain `src` attribute.
+  </div>
+
+
+  ## Response verification algorithms ## {#response-verification-algorithms}
 
   ### Apply |algorithm| to |bytes| ### {#apply-algorithm-to-response}
 
@@ -547,6 +660,17 @@ spec:csp3; type:grammar; text:base64-value
   to load the document. A successful load would confirm that the attacker
   has correctly guessed the username.
 
+
+  <section>
+    <h2 id="iana-considerations">IANA Considerations</h2>
+
+    The Content Security Policy Directive registry should be updated with the
+    following directives and references [[!RFC7762]]:
+
+    :   <a>`integrity-required`</a>
+    ::  This document (see [[#opt-in-integrity-required]])
+  </section>
+
   <!-- ####################################################################### -->
 
   # Acknowledgements # {#acknowledgements}