Contact emails
andy...@chromium.org, mk...@chromium.org
Spec
https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage
Summary
'unsafe-hashed-attributes' is a feature in CSP3 which allows developers to enable specific event handlers without needing to use the less safe 'unsafe-inline' keyword.
If 'unsafe-hashed-attributes' is present, inline event handlers are allowed to match against hashes specified by the 'script-src' directive (or its fallback if not present).
Link to “Intent to Implement” blink-dev discussion
I don't think there has been a I2I for this feature.
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
Risks
Interoperability and Compatibility
To my knowledge we are the first browser to implement this. There seem to be positive feelings towards this in the spec discussion.
Edge: No signals
Firefox: No signals
Safari: No signals
Web developers: Positive
https://github.com/w3c/webappsec-csp/issues/13
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
Tests will be written as part of this. When they will exist they will reside in:
http://wpt.fyi/content-security-policy/unsafe-hashed-attributes
Entry on the feature dashboard
https://www.chromestatus.com/feature/5867082285580288
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACnmqYifMnwELo0YrB6Z9ttw_DvE4KtE8h9pmX03Fvai8zkD3Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_Ku2Trn3qPMPCs3ZM%2BFVS0F2Awn%3Df5URizWS3f8k4a%3DJw%40mail.gmail.com.