As a result of WebAppSec discussions <https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-11-20-minutes.md#subresource-reporting-and-csp>, this effort is moving to a PR <https://github.com/w3c/webappsec-csp/pull/693> on CSP.
On Friday, November 8, 2024 at 10:22:06 PM UTC+1 Rick Byers wrote: > Sounds cool Yoav, and PCI-DSS v4 compliance does seem like a generally > useful thing to be doing to help better secure payments on the web. Thank > you for driving this! > > On Thu, Nov 7, 2024 at 9:36 AM Yoav Weiss (@Shopify) < > yoavwe...@chromium.org> wrote: > >> Contact emailsyoavwe...@chromium.org >> >> Explainer >> https://github.com/yoavweiss/subresource-reporting?tab=readme-ov-file#subresource-reporting >> >> SpecificationNot yet, but soon. >> >> Summary >> >> Complex web applications often need to keep tabs of the subresources that >> they download, for security purposes. In particular, upcoming industry >> standards and best practices (e.g. PCI-DSS v4) require that web >> applications keep an inventory of all the scripts they download and >> execute. This feature builds on the Reporting API to report the URLs and >> hashes (for CORS/same-origin) of all the script resources that the document >> loads. >> >> >> Blink componentBlink>ReportingObserver >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EReportingObserver> >> >> Motivation >> >> Web developers load many different script assets to their sites, and >> those scripts can then load other assets. Some of those assets are >> versioned and their content's integrity can be validated using Subresource >> Integrity or using Content Security Policy hashes. But other assets are >> dynamic, ever-green scripts that can be updated by their provider at any >> moment. The web platform has no means of validating the integrity of such >> scripts, neither in reporting nor in enforcement mode. At the same time, >> upcoming security standards require web developers to maintain an up to >> date inventory of all scripts that execute in the context of their payment >> page documents, and have a mechanism to validate their integrity. In the >> absence of better mechanisms, developers and merchants will need to settle >> for lower fidelity security guarantees — e.g. offline hash verification >> through crawling. Such mechanisms leave a lot to be desired in terms of >> their coverage, while at the same time add a lot of implementation >> complexity. >> >> >> Initial public proposalhttps://github.com/WICG/proposals/issues/182 >> >> TAG reviewNot yet >> >> TAG review statusSoon >> >> Risks >> >> >> Interoperability and Compatibility >> >> As this is a new feature activated through an HTTP header, I don't >> believe there's any compatibility risk associated with it. >> >> As for interoperability, it's a bit early to say but casually talking to >> Mozilla and Webkit folks about it didn't trigger any alarms on their end. >> >> >> *Gecko*: No signal >> >> *WebKit*: No signal >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> None >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes >> <https://chromium-review.googlesource.com/c/chromium/src/+/5952306/16/third_party/blink/web_tests/external/wpt/reporting/subresource.https.html> >> >> Flag name on about://flagsNone >> >> Finch feature nameSubresourceReporting >> >> Non-finch justificationNone >> >> Requires code in //chrome?False >> >> Tracking bughttps://issues.chromium.org/issues/377830102 >> >> Estimated milestones >> >> M133 >> >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/6337535507431424?gate=5620293283086336 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d9b0a26c-b70c-46be-9f70-cc0f82097d7an%40chromium.org.
