Add an SRI control as either a CSP directive or a new header

[joelweinberger]

Per the suggestion in https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html, it might make sense to extend CSP with a directive to control SRI. For example, we could have an sri-options directive that can take options like scripts-require-sri. This would also be a good place to eventually have a report-only option for SRI.

[jonathanKingston]

See also previous discussions: w3c/webappsec#16 (comment)

[mozfreddyb]

How is this tied to CSP? I'm wondering if the Integrity Policy should come in its own header.

[joelweinberger]

In fact, the rest of that thread eventually makes the point that it may make sense to put it in its own header :-) There isn't consensus, about whether it should be a CSP directive or a separate header, so I'll rename this issue appropriately.

[mozfreddyb]

We tried with require-sri-for (and removed it again). Closing.