From 32826ef83995044670526fea0d6f54de59e2e6e3 Mon Sep 17 00:00:00 2001
From: Rohan Kumar <seirdy@seirdy.one>
Date: Tue, 20 Sep 2022 12:31:10 -0700
Subject: [PATCH] Give points for not having scripts

HTTP Observatory shouldn't encourage web developers to add scripts to
their website simply to get more points. Fixes #449
---
 httpobs/docs/scoring.md         | 2 +-
 httpobs/scanner/grader/grade.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/httpobs/docs/scoring.md b/httpobs/docs/scoring.md
index 51bd4b9..8a22709 100644
--- a/httpobs/docs/scoring.md
+++ b/httpobs/docs/scoring.md
@@ -120,7 +120,7 @@ referrer-policy-header-invalid | `Referrer-Policy` header cannot be recognized |
 sri-implemented-<br>and-all-scripts-loaded-securely | Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin | 5
 sri-implemented-<br>and-external-scripts-loaded-securely | Subresource Integrity (SRI) is implemented and all scripts are loaded securely | 5
 sri-not-implemented-<br>but-all-scripts-loaded-from-secure-origin | Subresource Integrity (SRI) not implemented as all scripts are loaded from a similar origin | 0
-sri-not-implemented-<br>but-no-scripts-loaded | Subresource Integrity (SRI) is not needed since site contains no script tags | 0
+sri-not-implemented-<br>but-no-scripts-loaded | Subresource Integrity (SRI) is not needed since site contains no script tags | 5
 sri-not-implemented-<br>response-not-html | Subresource Integrity (SRI) is only needed for html resources | 0
 sri-not-implemented-<br>but-external-scripts-loaded-securely | Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https | -5
 request-did-not-return-status-code-200 | Site did not return a status code of 200 (deprecated) | -5
diff --git a/httpobs/scanner/grader/grade.py b/httpobs/scanner/grader/grade.py
index 7549fa2..4d88ee8 100644
--- a/httpobs/scanner/grader/grade.py
+++ b/httpobs/scanner/grader/grade.py
@@ -304,7 +304,7 @@
     },
     'sri-not-implemented-but-no-scripts-loaded': {
         'description': 'Subresource Integrity (SRI) is not needed since site contains no script tags',
-        'modifier': 0,
+        'modifier': 5,
     },
     'sri-not-implemented-but-all-scripts-loaded-from-secure-origin': {
         'description': 'Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin',