Mike West

I'd continue punting on this for the moment. Let's work out how we do things in HTTP, and then determine how to apply that to HTML. Guessing wildly, if we...

Thanks for the use case, @bakkot! I still see this as an enhancement that isn't necessary for getting something out the door, but I do think we have a reasonably...

> I agree it's not strictly necessary for getting something out the door, though given how often things seem to get partially done and then never fully updated to address...

> > To that end, it'd be helpful to have a broader set of folks who want inline signature checks to make sure that we understand the use cases and...

> But I don't know why you think that's conducive to passing nonces. Nonces could be passed in along with the request for the script. This assumes more capacity for...

(@annevk might know if anyone has suggested this kind of validation for HTML content in the past (and might have opinions about it, in any of its variously possible spellings))

> Let's see: > > * What contents to validate can probably follow the definition of the `script` element's `text` getter. But yeah, I guess you would have to UTF-8...

In an effort to avoid some more important work (and the news), I sketched something out in https://mikewest.github.io/inline-integrity/ that only focuses on `` and ``. If there's a use case...

> > (As an aside, this discussion vaguely reminds me of [@arturjanc](https://github.com/arturjanc)'s proposal to extend hashes to cover URLs declared through ``, which could perhaps have improved protection against injection...

I'm closing this out in favor of https://mikewest.github.io/inline-integrity/, which I think is not a terrible idea, and will start poking folks about.