Contact emails
tr...@chromium.org, mk...@chromium.org
Spec
https://w3c.github.io/webappsec-csp/#external-hash
Summary
CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" crossorigin ...></script>` will be allowed.Motivation
Developers at places like GitHub are interested in moving from a list of allowed script origins to a content-based mechanism that sits on top of their existing usage of Subresource Integrity. Other folks have expressed interest in building out a "trusted loader" mechanism, combining hashes with `strict-dynamic` to verify the script that's being empowered to load more script.
In general, folks that are using SRI can quite easily begin allowing only those trusted hashes to execute on their pages, which seems like a pretty clear win.
Interoperability and Compatibility Risk
This is a new feature with low compatibility risk. There is a risk that developers will attempt to rely on it in browsers that don't yet support the matching mechanism, but that can be best resolved by other browsers implementing the feature.
Edge: No signals
Firefox: Public support in https://github.com/w3c/webappsec-csp/issues/78.
Safari: No signals
Web developers: Positive signals from GitHub and Dropbox, also in https://github.com/w3c/webappsec-csp/issues/78. Also, I was only able to convince treib@ to implement this because he needs it for a revamp of Chrome's new tab page... so. :)
Ongoing technical constraints
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes or no. If no, explain why certain platforms will not be included in your implementation.
OWP launch tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=706380
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/4626666856906752
Requesting approval to ship?
Yes.
-mike
LGTM1
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Since this may have severe security consequences (pages that only rely on hashes in their policies but do not block domains can enable cross site scripting in unsupported browsers),
I think it might makes sense to coordinate shipping this feature with other browsers.
--
Right, I misunderstood. :)So new browser versions will actually be sort of opening an attack vector (rather than blocking it)... That is a bit controversial to me, but, oh, well...