<script integrity="">

integrity 属性 (HTML)

仕様書

意味

[44] 要素によって行われる要求の一貫性メタデータを表します。 >>43, >>49

構文

[46] 属性値は、テキストです >>43, >>49。

文脈

[51] link 要素と script 要素に指定できます。

[45] link 要素にあっては、 rel 属性に stylesheet が指定されていない限り、指定してはなりません >>43。

[47] それ以外では、指定しても無視されます。

[52] script 要素にあっては、データブロックやモジュールスクリプトを表す時、あるいは src 属性がない時、指定してはなりません >>49。

[53] integrity は、古典スクリプトとモジュールスクリプトに適用されます。データブロックに指定しても、無視されます。

[65] スクリプトfetchオプション群は、一貫性メタデータ (integrity metadata) を持ちます HTML Standard。スクリプトの作成時に設定され、スクリプトのfetchで参照されます。

処理

[48] obtain the resource で参照されます。

[54] script 要素の処理で参照されます。

IDL 属性

[50] HTMLLinkElement インターフェイスの integrity IDL属性は、 integrity 内容属性を文字列として反映するものです >>43。

歴史

参照元にハッシュ値を埋め込む提案と失敗の歴史

[11] Link Hashes - WHATWG Wiki (2014-10-11 21:00:37 +09:00 版) https://wiki.whatwg.org/wiki/Link_Hashes

[1] Subresource Integrity ( (2014-03-15 05:47:19 +09:00 版)) http://www.w3.org/TR/2014/WD-SRI-20140318/

[2] Subresource Integrity ( (2014-05-21 09:40:41 +09:00 版)) http://w3c.github.io/webappsec/specs/subresourceintegrity/

[3] IRC logs: freenode / #whatwg / 20140613 ( (2014-06-14 11:47:11 +09:00 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20140613#l-229

[4] Subresource Integrity ( (2014-07-02 16:04:20 +09:00 版)) http://w3c.github.io/webappsec/specs/subresourceintegrity/

[5] Fix old digest attribute · 80721db · w3c/webappsec (2014-10-18 14:28:35 +09:00 版) https://github.com/w3c/webappsec/commit/80721db13315f38d9a46dbd824fc2939619d50f0

[6] 1100206 – Teach the parser about the integrity attribute (2015-02-19 12:25:29 +09:00 版) https://bugzilla.mozilla.org/show_bug.cgi?id=1100206

[7] Changed integrity productions to reflect per-hash-expression options and... · w3c/webappsec@54e31a1 (2015-04-10 00:34:48 +09:00 版) https://github.com/w3c/webappsec/commit/54e31a12846eff424a018ce9d2078cfec798a888

[8] Got rid of MIME type references, other than note that they may be added ... · w3c/webappsec@beec679 (2015-04-10 00:34:59 +09:00 版) https://github.com/w3c/webappsec/commit/beec679207dbdd02231d6f7090833ecb2e1690cc

[9] Modified metadata algorithm to generate a set of strong hashes. · w3c/webappsec@7b00748 (2015-04-10 00:37:22 +09:00 版) https://github.com/w3c/webappsec/commit/7b00748ea09ca291215c8802a296ccda6c226d43

[10] Subresource Integrity (2015-04-09 17:26:24 +09:00 版) http://www.w3.org/TR/2015/WD-SRI-20150409/

[12] Subresource Integrity (2015-05-05 23:26:33 +09:00 版) http://www.w3.org/TR/2015/WD-SRI-20150505/

[13] [SRI] Requiring CORS for SRI (Tanvi Vyas 著, 2015-05-07 03:17:41 +09:00 版) https://lists.w3.org/Archives/Public/public-webappsec/2015May/0023.html

[14] Issue 1186883003: Ship Subresource Integrity - Code Review (2015-06-20 11:40:17 +09:00 版) https://codereview.chromium.org/1186883003/

[15] SRI: Shipped on tip-of-tree Chromium (Joel Weinberger 著, 2015-06-20 04:06:46 +09:00 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Jun/0053.html

[16] Subresource Integrity (2015-07-07 16:18:55 +09:00 版) http://www.w3.org/TR/2015/WD-SRI-20150707/

[17] Support integrity. Fixes #85. · whatwg/fetch@12a1a6c (2015-07-24 23:05:10 +09:00 版) https://github.com/whatwg/fetch/commit/12a1a6cc539262fb5e58717047b0fcb70b38ae26

[18] Bug 148363 – Implement Subresource Integrity (SRI) (2015-08-24 11:38:53 +09:00 版) https://bugs.webkit.org/show_bug.cgi?id=148363

[19] Subresource Integrity (2015-09-16 22:14:01 +09:00 版) http://www.w3.org/TR/2015/WD-SRI-20150916/

[20] IRC logs: freenode / #whatwg / 20150928 (2015-09-29 10:44:08 +09:00 版) http://krijnhoetmer.nl/irc-logs/whatwg/20150928

# [10:44] <mkwst> terinjokes: SRI only applies to those elements because the current spec is basically a test to check that we can actually verify integrity on the wild and crazy internet.
# [10:44] <mkwst> terinjokes: Basically, they decided to do the simplest thing possible, make sure it works, and then expand it based on that experience.
# [10:45] <mkwst> terinjokes: Tacking `integrity` attributes onto other elements as necessary is an obvious next step.

[21] Subresource Integrity (2015-10-06 22:14:42 +09:00 版) https://w3c.github.io/webappsec-subresource-integrity/

[22] w3c/webappsec-subresource-integrity (2015-10-06 23:28:21 +09:00 版) https://github.com/w3c/webappsec-subresource-integrity

[23] Subresource Integrity (2015-10-06 23:13:38 +09:00 版) http://www.w3.org/TR/2015/WD-SRI-20151006/

[24] Merge pull request #4 from fmarier/simplify-eligibility-alg · w3c/webappsec-subresource-integrity@f98f344 (2015-10-22 11:46:04 +09:00 版) https://github.com/w3c/webappsec-subresource-integrity/commit/f98f344856977a106f2660d4e75c697102f7c057

[25] Subresource Integrity ( (2015-11-12 22:23:57 +09:00 版)) http://www.w3.org/TR/2015/CR-SRI-20151112/

[26] Re: [SRI] Unmentioned use case: caching (Joel Weinberger 著, 2015-12-22 00:41:02 +09:00 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0042.html

[27] Subresource Integrity - GitHub Engineering (2015-12-18 00:30:15 +09:00 版) http://githubengineering.com/subresource-integrity/

[28] [CSP] "sri" source expression to enforce SRI (Patrick Toomey 著, 2015-12-22 02:34:34 +09:00 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html

[29] Convert to Bikeshed. Should be all formatting changes, which includes… · w3c/webappsec-subresource-integrity@4b6816d (2016-01-21 12:15:20 +09:00 版) https://github.com/w3c/webappsec-subresource-integrity/commit/4b6816d922587922a2b89854b384a89db6e5fd8b

[30] Allow hashes to match external scripts · w3c/webappsec-csp@a299d38 (2016-04-26 12:10:58 +09:00 版) https://github.com/w3c/webappsec-csp/commit/a299d38d1b54e3d9612d11fb69cc8174b5e44051

[31] Subresource Integrity ( (2016-05-09 18:03:08 +09:00)) https://www.w3.org/TR/2016/PR-SRI-20160510/

[32] reference `require-sri-for` in SRI specification (#93) ( (shekyan著, 2016-06-22 18:00:34 +09:00)) https://github.com/w3c/webappsec-csp/commit/7b8762c599a5f7fa53d15df4629e763f6ed53c60

[33] Subresource Integrity (2016-06-21 00:01:23 +09:00) https://www.w3.org/TR/2016/REC-SRI-20160623/

[34] Subresource Integrity (2016-06-21 00:01:23 +09:00) https://www.w3.org/TR/2016/REC-SRI-20160623/

[35] Subresource Integrity (2016-06-22 03:22:12 +09:00) https://w3c.github.io/webappsec-subresource-integrity/

[37] w3c/webappsec-subresource-integrity: WebAppSec Subresource Integrity (2016-06-30 12:18:52 +09:00) https://github.com/w3c/webappsec-subresource-integrity

[38] GitHub implements Subresource Integrity (2016-07-30 16:00:20 +09:00) https://github.com/blog/2058-github-implements-subresource-integrity

[39] Subresource Integrity Addressable Caching (2016-10-16 03:29:51 +09:00) https://hillbrad.github.io/sri-addressable-caching/sri-addressable-caching.html

[40] Clarifying SRI integration. (mikewest著, 2016-11-09 22:01:27 +09:00) https://github.com/w3c/webappsec-csp/commit/68aecb5003b0081afcc4f70524b81f8b381aa97c

[41] Upstream SRI's 'integrity' attribute (mikewest著, 2016-11-03 22:33:16 +09:00) https://github.com/whatwg/html/commit/4c5066c171610e0c8300a58baf4f94816044cedc

[42] Disallow the integrity attribute for inline scripts (zcorpan著, 2016-11-03 22:54:48 +09:00) https://github.com/whatwg/html/commit/7a405842a176c30a5d46c3520a1c8827b5483961

[55] Be clearer about the "parse metadata" algorithm. (jyasskin著, 2017-02-07 08:42:51 +09:00) https://github.com/w3c/webappsec-subresource-integrity/commit/78e3b73832b87ca83f562cf8dd6f1ae2f5aa196e

[56] Subresource Integrity Addressable Caching (2016-10-16 03:29:51 +09:00) https://hillbrad.github.io/sri-addressable-caching/sri-addressable-caching.html

[57] Add signature-based explainer. (mikewest著, 2017-06-01 16:07:34 +09:00) https://github.com/w3c/webappsec-subresource-integrity/commit/f6b778b6c9f90857b99ebcca34efb55247218b5f

[58] Proposal: Signatures in SRI. (Mike West著, 2017-06-01 18:13:04 +09:00) https://lists.w3.org/Archives/Public/public-webappsec/2017Jun/0000.html

[59] Using integrity with "no-cors" is fine same-origin (annevk著, 2017-09-02 01:19:38 +09:00) https://github.com/whatwg/fetch/commit/686a1ad9e1c5a001531ebabb1bcd163dfe78edd8

[60] TypeError on Request.integrity with no-cors mode is a foot gun · Issue #583 · whatwg/fetch (2017-09-02 17:04:00 +09:00) https://github.com/whatwg/fetch/issues/583

[61] Using integrity with "no-cors" is fine same-origin by annevk · Pull Request #584 · whatwg/fetch (2017-09-02 17:04:24 +09:00) https://github.com/whatwg/fetch/pull/584

[62] Add integrity="" for module scripts, and integrate dynamic import() by domenic · Pull Request #3044 · whatwg/html (2017-10-04 22:46:22 +09:00) https://github.com/whatwg/html/pull/3044

[63] Make integrity="" work on module scripts (domenic著, 2017-09-14 18:00:24 +09:00) https://github.com/whatwg/html/commit/9275d955dcd604e959cfcc672e0c234b1b8c00db

[64] Make integrity="" work on module scripts (domenic著, 2017-09-14 18:00:24 +09:00) https://github.com/whatwg/html/commit/9275d955dcd604e959cfcc672e0c234b1b8c00db

[66] Does integrity="" intentionally not work on module <script>s? · Issue #2382 · whatwg/html (2017-10-05 14:16:28 +09:00) https://github.com/whatwg/html/issues/2382

[67] Add integrity="" for module scripts, and integrate dynamic import() by domenic · Pull Request #3044 · whatwg/html (2017-10-05 14:22:58 +09:00) https://github.com/whatwg/html/pull/3044

[68] Signature-based SRI and CDNs (Mark Nottingham著, 2017-11-09 09:38:08 +09:00) https://lists.w3.org/Archives/Public/public-webappsec/2017Nov/0014.html

[69] Re: SRI and signatures (Daniel Vogelheim著, 2017-12-13 01:44:10 +09:00) https://lists.w3.org/Archives/Public/public-webappsec/2017Dec/0012.html

[70] Add <link> rel="modulepreload" by domenic · Pull Request #2383 · whatwg/html (2018-03-20 15:20:27 +09:00) https://github.com/whatwg/html/pull/2383

[71] New WebKit Features in Safari 11.1 | WebKit (2018-04-13 13:40:37 +09:00) https://webkit.org/blog/8216/new-webkit-features-in-safari-11-1/

[72] New WebKit Features in Safari 11.1 | WebKit (2018-04-24 13:08:05 +09:00) https://webkit.org/blog/8216/new-webkit-features-in-safari-11-1/

[73] Added note explaining difference between SRI and CSP hashes (#344) (andypaicu著, 2018-10-08 19:39:51 +09:00) https://github.com/w3c/webappsec-csp/commit/24ca8417f5d1326d1c589833ba0e9e39678f4ed0

[74] Adding note explaining difference between SRI and CSP hashes by andypaicu · Pull Request #344 · w3c/webappsec-csp (2018-10-30 23:50:46 +09:00) https://github.com/w3c/webappsec-csp/pull/344

[75] "Whitelisting external JavaScript with hashes" incorrectly assumes encoding of sources · Issue #110 · w3c/webappsec-csp (2018-10-30 23:50:58 +09:00) https://github.com/w3c/webappsec-csp/issues/110

[76] Revert `require-sri-for` (#82) (mozfreddyb著, 2019-07-03 04:43:58 +09:00) https://github.com/w3c/webappsec-subresource-integrity/commit/4716b7278b553c9d5bf10ee56e00570a737ee896

[77] Revert `require-sri-for` by mozfreddyb · Pull Request #82 · w3c/webappsec-subresource-integrity (2020-01-12 15:26:30 +09:00) https://github.com/w3c/webappsec-subresource-integrity/pull/82

[78] SRI spec Maintenance (Frederik Braun著, 2019-07-02 22:30:57 +09:00) https://lists.w3.org/Archives/Public/public-webappsec/2019Jul/0002.html