Contact emailsmea...@chromium.org Explainerhttps://github.com/explainers-by-googlers/script-src-v2
SpecificationNone Existing CSP spec will be updated as part of development. Summary Introduces a new Content Security Policy (CSP) directive tentatively called *script-src-v2*. This new directive adds two new hash based allowlisting mechanisms: script sources based on hashes of URLs and contents of eval() and eval() like functions. Extending hashes to cover URL and eval() hashes allows developers to set reasonably strict security policies by narrowly allowlisting scripts by their hashes even when script contents are subject to frequent changes, and known-safe contents of eval() without permitting unchecked use of eval() broadly. script-src-v2 drops some features considered unsafe from script-src. In particular, hostname based allowlisting functionality that is unsafe and no longer necessary given the expanded allowlisting functionality is removed. The new directive overrides script-src when provided. Blink componentBlink>SecurityFeature>ContentSecurityPolicy <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22> Motivation Allowlist script-src URLs with their hashes with a new keyword called url-hashes: Sites that want to allowlist scripts for use with script-src currently have 2 options: allowlist script contents through subresource integrity, which is not practical for scripts that change often (e.g. analytics), or use host-source to allowlist entire hostnames (thus allowlisting more than may be necessary). This proposal permits allowlisting full URLs, which permits precise allowlist targeting while still allowing content to change as needed. Using hashes over raw URLs in the policy allows for a more succinct representation when allowlisting longer URLs. More safely enabling scripts for use with eval(), Function, setTimeout, setInterval, and setImmediate: The only existing mechanism to use eval() and eval-like functions is by enabling them without restriction via unsafe-eval. This means that currently any site that needs to use eval() (such as for feature detection) must expose itself to eval-based XSS risks. Allowlisting individual scripts mitigates these issues. Introducing the script-src-v2 directive: Relying on the functionality above without incurring breakage on browsers that do not yet support the updated semantics necessitates a new directive that overrides the previous directive, allowing older browsers to fall back on a less-safe script-src-based policy. Initial public proposalhttps://github.com/WICG/proposals/issues/203 Search tagscontent security policy <https://chromestatus.com/features#tags:content%20security%20policy>, csp <https://chromestatus.com/features#tags:csp> TAG reviewNone TAG review statusPending Risks Interoperability and Compatibility The new script-src-v2 directive (final name TBD) is intended to override script-src. This will allow sites to enforce a stricter policy in browsers that understand the new directive while still including a weaker policy for those that only support script-src. The new url-hashes keyword and support for hashes of eval'ed functions are only supported in script-src-v2. We decided not to backport these changes to script-src to avoid potential breakage: Sites deploying these features without checking browser support may cause the user's browser to block loading of scripts allowlisted by url-hashes and eval hashes. *Gecko*: No signal *WebKit*: No signal *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Web Platform Tests will be written as part of the prototype. Flag name on about://flagsNone Finch feature nameCSPScriptSrcV2 Requires code in //chrome?False Tracking bughttps://crbug.com/392657736 Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5196368819519488?gate=5111339338694656 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANDkT5k9roBJptbJvGBCQBt1Lhefrdz3WCqvr35gHGP2aiXXJw%40mail.gmail.com.
