Intent to Extend Experiment: Extend CSP script-src (aka script-src-v2)

15 views
Skip to first unread message

Chromestatus

unread,
2:11 PM (3 hours ago) 2:11 PM
to blin...@chromium.org, a...@google.com, mea...@chromium.org
Contact emails
mea...@chromium.org

Explainer
https://github.com/explainers-by-googlers/script-src-v2

Specification
https://github.com/w3c/webappsec-csp/pull/784

Summary
Introduces a new keywords to the script-src Content Security Policy (CSP) directive. This adds two new hash based allowlisting mechanisms: script sources based on hashes of URLs and contents of eval() and eval() like functions. We loosely refer to this as script-src-v2, although it is backwards compatible with the existing script-src, and uses the same directive. Extending hashes to cover URL and eval() hashes allows developers to set reasonably strict security policies by narrowly allowlisting scripts by their hashes even when script contents are subject to frequent changes, and known-safe contents of eval() without permitting unchecked use of eval() broadly. The new keywords override host-based script-src when provided. This allows a single header to be compatible with browsers that both do or do not implement the new keywords.

Blink component
Blink>SecurityFeature>ContentSecurityPolicy

Web Feature ID
csp

Search tags
content security policy, csp

TAG review
https://github.com/w3ctag/design-reviews/issues/1128

TAG review status
Pending

Origin Trial Name
URL and eval hashes in CSP script-src

Chromium Trial Name
CSPExtendedScriptSrcHashes

Origin Trial documentation link
https://github.com/explainers-by-googlers/script-src-v2

WebFeature UseCounter name
kCSPUrlHashes

Risks


Interoperability and Compatibility
For url hashes, the new url-<hash-algorithm>-<hash-value> keyword overrides hosts in source lists so both a host and a hash can be set. This will allow sites to enforce a stricter policy in browsers that understand the new keyword while still including a weaker policy for those that do not. This also adds a strict-dynamic-url keyword, which enables strict-dynamic like behavior when using URL hashes. This allows sites that need strict-dynamic with the new policy (but not with the fallback policy) to set it while still being able to use hostname sources in the fallback. Similarly, the new eval-<hash-algorithm>-<hash-value> keyword overrides unsafe-eval so both can be set, in order to prevent breakage for users in browsers that don't support eval hashes yet.

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1277)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/535)

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Goals for experimentation
No information provided

Reason this experiment is being extended
Two bugs were discovered (crbug.com/490022555 and crbug.com/490022554) that prevented the internal Google team that was going to test the new features from using them. Bugs are now in the process of being fixed, requesting an extension so this can actually be used.

Ongoing technical constraints
No information provided

Debuggability
No information provided

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes

Is this feature fully tested by web-platform-tests?
Yes
Tetntative tests have been added in https://github.com/web-platform-tests/wpt/tree/master/content-security-policy/script-src/tentative

Flag name on about://flags
No information provided

Finch feature name
ScriptSrcHashesV1

Requires code in //chrome?
False

Tracking bug
https://crbug.com/392657736

Launch bug
https://launch.corp.google.com/launch/4394549

Estimated milestones
Origin trial desktop first141
Origin trial desktop last144
Origin trial extension 1 end milestone150
Origin trial Android first141
Origin trial Android last144
Origin trial WebView first141
Origin trial WebView last144


Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5196368819519488?gate=5078661873139712

Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANDkT5k9roBJptbJvGBCQBt1Lhefrdz3WCqvr35gHGP2aiXXJw%40mail.gmail.com
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfXm35Eeyx-X8St%2BTAV1uvJk1SOuFL1Rkq%2B7ORhJXyjYmQ%40mail.gmail.com


This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages