Intent to Ship: CSP hash reporting for scripts

[Yoav Weiss (@Shopify)]

Contact emails

yoav...@chromium.org

Explainer

https://github.com/w3c/webappsec-csp/pull/693#issue-2692363906

Specification

https://github.com/w3c/webappsec-csp/pull/693

Summary

Complex web applications often need to keep tabs of the subresources that they download, for security purposes. In particular, upcoming industry standards and best practices (e.g. PCI-DSS v4) require that web applications keep an inventory of all the scripts they download and execute. This feature builds on CSP and the Reporting API to report the URLs and hashes (for CORS/same-origin) of all the script resources that the document loads.

Blink component

Blink>SecurityFeature

TAG review

https://github.com/w3ctag/design-reviews/issues/1020

TAG review status

Pending

Risks

Interoperability and Compatibility

As a new feature, it has no particular compatibility issues.

In terms of interop, this feature was discussed at a WebAppSec meeting, and Apple folks were involved in the review.

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1129)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/430)

Web developers: Positive (https://github.com/w3c/webappsec-csp/pull/693#issuecomment-2501689386) Shopify as well as Google Security are interested in this.

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/content-security-policy/report-hash?label=experimental&label=master&aligned

Flag name on about://flags

CSPReportHash

Finch feature name

CSPReportHash

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/377830102

Estimated milestones

Shipping on desktop	133
Shipping on Android	133
Shipping on WebView	133

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6337535507431424?gate=5971079770931200

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com

This intent message was generated by Chrome Platform Status.

[Mike Taylor]

Thanks for working on this - LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B9jsqee5LYD5GaikgrEjMKBBziAecNomCd95iBkj6t7g%40mail.gmail.com.

[Chris Harrelson]

LGTM2

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9bc8c39b-cf96-4424-9a71-cf44621f7978%40chromium.org.

[Alex Russell]

LGTM3

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_Q5LMwCw6fe3Low7AQZUwV0AJMuFM9VTCQYZZAqGUSHw%40mail.gmail.com.