FF142 Integrity-Policy can be enforced on stylesheets #40746
Conversation
hamishwillee
requested review from
chrisdavidmills
and removed request for
a team
github-actions
bot
added
Content:HTTP
| The HTTP **`Integrity-Policy-Report-Only`** response header allows website administrators to report on resources that the user agent loads that would violate [Subresource Integrity](/en-US/docs/Web/Security/Subresource_Integrity) guarantees if the integrity policy was enforced (using the {{HTTPHeader("Integrity-Policy")}} header). | ||
|
|
||
| Reports may be generated for requests on specified [request destinations](/en-US/docs/Web/API/Request/destination) that omit integrity metadata, or that are made in [no-cors](/en-US/docs/Web/API/Request/mode#no-cors) mode. | ||
| Reports may be generated for requests on specified [request destinations](#blocked-destinations) that omit integrity metadata, or that are made in [no-cors](/en-US/docs/Web/API/Request/mode#no-cors) mode. |
There was a problem hiding this comment.
Note, the link was good, but it is more useful here to be able to jump down to the field to find out what destinations are blocked. The old link appears there if people want to find out more about destinations.
|
Preview URLs
Flaws (3)Note! 2 documents with no flaws that don't need to be listed. 🎉 URL:
(comment last updated: 2025-08-18 07:10:58) |
|
@chrisdavidmills As you know, I'm working tomorrow but then gone for a bit. If you don't look at this today and you think changes are required, can you just make them and merge. If you make the changes today I can still look at them in a timely manner. |
hamishwillee
force-pushed
the
ff142_integrity_policy_style
branch
from
c14fcf3 to
860e670
Compare
chrisdavidmills
left a comment
chrisdavidmills
left a comment
There was a problem hiding this comment.
Nice one @hamishwillee. I did as you asked and fixed up a few small bits and bobs. Mostly fine though.
|
Thanks very much. Those fixes all look great. |
* FF142 Integrity-Policy can be enforced on scripts * Fix a couple of instances of scripts only to scripts and stylesheets * code font * Couple of small fixes --------- Co-authored-by: Chris Mills <[email protected]>
2 participants
FF142 adds support for specifying a style as a blocked destination (behind a preference) in https://bugzilla.mozilla.org/show_bug.cgi?id=1974247. This updates the docs to note that this is an allowed value for the
Integrity-PolicyandIntegrity-Policy-Report-Onlyheaders.Related docs work can be tracked in #40667