[wp-trac] [WordPress Trac] #33948: Implement subresource integrity (SRI)
WordPress Trac
noreply at wordpress.org
Mon Sep 21 18:09:20 UTC 2015
#33948: Implement subresource integrity (SRI)
---------------------------+--------------------------------------
Reporter: johnbillion | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Script Loader | Version:
Severity: normal | Keywords: needs-patch dev-feedback
Focuses: |
---------------------------+--------------------------------------
Chrome 45 (released 1st September) has shipped with
[http://w3c.github.io/webappsec/specs/subresourceintegrity/ subresource
integrity]. Firefox will ship with it in 43 (expected December 2015).
Browsers that support SRI will block a script or style resource from
loading if the hash of its contents doesn't match the precomputed hash in
the `integrity` attribute for the resource.
We should investigate adding the `integrity` attribute to core's scripts
and styles. While it affords little protection by default (because a
hacked site could also have its hashes recomputed), it does protect sites
that offload CSS and JS to a CDN.
The hashes can be computed during the build process.
One concern I have is that this introduces a requirement to re-compute the
file hash every time a CSS or JS file is changed during development, which
will be a complete pain for anyone hacking on WordPress. The answer could
be to exclude the `integrity` attribute when `WP_DEBUG` is set to true
(and thus, only compute the hashes for minified files).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33948>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list