-
Notifications
You must be signed in to change notification settings - Fork 157
Handling Subresource Integrity
(Work in progress)
Currently, PageSpeed optimization is unable to understand "integrity" html tag attributes or "Content-Security-Policy: require-sri-for [target];" type response headers. Ideally, the framework would be aware of these attributes. Because of this, pages may break when we alter resource content in the optimization process.
Basically, PageSpeed Optimization has two modes of operation:
We enhance delivery for resources like javascript, css, and images by serving a smaller, faster version. Responses will potentially be different per user-agent.
TODO(oschaaf): describe interaction.
In this mode we apply changes to html and replace resource urls, where we also consider the html context, leading up to more optimization opportunities. We will generate different resource urls and responses for different user-agents.
TODO(oschaaf): describe interaction.
At a high level:
- The first step should be to make sure that we do not break pages by making them violate SRI integrity hashes. In the html flow, we can leave html tags with integrity attributes alone. The in-place flow may be challenging though.
- The second step should be a filter that is able to strip input SRI attributes, but only if we can verify integrity on behalf of the user-agent.
- The third step should be to add the capability of automatically adding integrity attributes
- The last step should be to add integrity attributes on any of resources we inject ourselves.
TODO(oschaaf): think about CSP part to this.