From 47ad5e26883b508a5e925cab82430a46e486191e Mon Sep 17 00:00:00 2001 From: Scott Helme Date: Mon, 24 Apr 2023 17:30:49 +0100 Subject: [PATCH] Define SRI Reports, to inform site operators of integrity check failures for resources. --- index.bs | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 8f6c77e..b6bfbff 100644 --- a/index.bs +++ b/index.bs @@ -480,7 +480,7 @@ spec: SHA2; urlPrefix: http://csrc.nist.gov/publications/fips/fips180-4/fips-180 ## Handling integrity violations ## {#handling-integrity-violations} The user agent will refuse to render or execute responses that fail an integrity - check, instead returning a network error as defined in Fetch [[!Fetch]]. + check, instead returning a network error as defined in Fetch [[!Fetch]], and may send an sri report. Note: On a failed integrity check, an `error` event is fired. Developers wishing to provide a canonical fallback resource (e.g., a resource not served @@ -565,6 +565,30 @@ spec: SHA2; urlPrefix: http://csrc.nist.gov/publications/fips/fips180-4/fips-180 + # SRI Reports # {#sri-report} + + SRI Reports indicate that the user agent refused to render or execute a response that failed an integrity check. + + SRI Reports are a type of [=report=] and have the report type "sri". + + 
+    [Exposed=(Window,Worker)]
+    interface SriReportBody : ReportBody {
+      [Default] object toJSON();
+      readonly attribute USVString blockedURL;
+      readonly attribute DOMString? integrityAttribute;
+    };
+
+ + : {{blockedURL}} + :: The URL of the resource that failed the integrity check. + : {{integrityAttribute}} + :: The integrity attribute of the element. + + SRI Reports, if sent, must be sent to a reporting endpoint with a name of sri and must only be sent as the result of a failed integrity check and not any other error to ensure that no privacy or security risk is introduced. + + + # Acknowledgements # {#acknowledgements} Much of the content here is inspired heavily by Gervase Markham's