Contact emailsyoavwe...@chromium.org Explainerhttps://github.com/w3c/webappsec-csp/pull/693#issue-2692363906
Specificationhttps://github.com/w3c/webappsec-csp/pull/693 Summary Complex web applications often need to keep tabs of the subresources that they download, for security purposes. In particular, upcoming industry standards and best practices (e.g. PCI-DSS v4) require that web applications keep an inventory of all the scripts they download and execute. This feature builds on CSP and the Reporting API to report the URLs and hashes (for CORS/same-origin) of all the script resources that the document loads. Blink componentBlink>SecurityFeature <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/1020 TAG review statusPending Risks Interoperability and Compatibility As a new feature, it has no particular compatibility issues. In terms of interop, this feature was discussed <https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-11-20-minutes.md#subresource-reporting-and-csp> at a WebAppSec meeting, and Apple folks were involved in the review. *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/1129) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/430) *Web developers*: Positive ( https://github.com/w3c/webappsec-csp/pull/693#issuecomment-2501689386) Shopify as well as Google Security are interested in this. *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes https://wpt.fyi/results/content-security-policy/report-hash?label=experimental&label=master&aligned Flag name on about://flagsCSPReportHash Finch feature nameCSPReportHash Requires code in //chrome?False Tracking bughttps://issues.chromium.org/issues/377830102 Estimated milestones Shipping on desktop 133 Shipping on Android 133 Shipping on WebView 133 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6337535507431424?gate=5971079770931200 Links to previous Intent discussionsIntent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B9jsqee5LYD5GaikgrEjMKBBziAecNomCd95iBkj6t7g%40mail.gmail.com.
