Sounds cool Yoav, and PCI-DSS v4 compliance does seem like a generally useful thing to be doing to help better secure payments on the web. Thank you for driving this!
On Thu, Nov 7, 2024 at 9:36 AM Yoav Weiss (@Shopify) <yoavwe...@chromium.org> wrote: > Contact emailsyoavwe...@chromium.org > > Explainer > https://github.com/yoavweiss/subresource-reporting?tab=readme-ov-file#subresource-reporting > > SpecificationNot yet, but soon. > > Summary > > Complex web applications often need to keep tabs of the subresources that > they download, for security purposes. In particular, upcoming industry > standards and best practices (e.g. PCI-DSS v4) require that web > applications keep an inventory of all the scripts they download and > execute. This feature builds on the Reporting API to report the URLs and > hashes (for CORS/same-origin) of all the script resources that the document > loads. > > > Blink componentBlink>ReportingObserver > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EReportingObserver> > > Motivation > > Web developers load many different script assets to their sites, and those > scripts can then load other assets. Some of those assets are versioned and > their content's integrity can be validated using Subresource Integrity or > using Content Security Policy hashes. But other assets are dynamic, > ever-green scripts that can be updated by their provider at any moment. The > web platform has no means of validating the integrity of such scripts, > neither in reporting nor in enforcement mode. At the same time, upcoming > security standards require web developers to maintain an up to date > inventory of all scripts that execute in the context of their payment page > documents, and have a mechanism to validate their integrity. In the absence > of better mechanisms, developers and merchants will need to settle for > lower fidelity security guarantees — e.g. offline hash verification through > crawling. Such mechanisms leave a lot to be desired in terms of their > coverage, while at the same time add a lot of implementation complexity. > > > Initial public proposalhttps://github.com/WICG/proposals/issues/182 > > TAG reviewNot yet > > TAG review statusSoon > > Risks > > > Interoperability and Compatibility > > As this is a new feature activated through an HTTP header, I don't believe > there's any compatibility risk associated with it. > > As for interoperability, it's a bit early to say but casually talking to > Mozilla and Webkit folks about it didn't trigger any alarms on their end. > > > *Gecko*: No signal > > *WebKit*: No signal > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > <https://chromium-review.googlesource.com/c/chromium/src/+/5952306/16/third_party/blink/web_tests/external/wpt/reporting/subresource.https.html> > > Flag name on about://flagsNone > > Finch feature nameSubresourceReporting > > Non-finch justificationNone > > Requires code in //chrome?False > > Tracking bughttps://issues.chromium.org/issues/377830102 > > Estimated milestones > > M133 > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6337535507431424?gate=5620293283086336 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-qNB4T%2BO-DZWHZEXdJf%2BY8ne0R%3DmSvGt47vB141vP0RQ%40mail.gmail.com.
