Thanks for working on this - LGTM1
On 12/9/24 8:05 PM, Yoav Weiss (@Shopify) wrote:
Contact emails
yoavwe...@chromium.org
Explainer
https://github.com/w3c/webappsec-csp/pull/693#issue-2692363906
Specification
https://github.com/w3c/webappsec-csp/pull/693
Summary
Complex web applications often need to keep tabs of the subresources
that they download, for security purposes. In particular, upcoming
industry standards and best practices (e.g. PCI-DSS v4) require that
web applications keep an inventory of all the scripts they download
and execute. This feature builds on CSP and the Reporting API to
report the URLs and hashes (for CORS/same-origin) of all the script
resources that the document loads.
Blink component
Blink>SecurityFeature
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22>
TAG review
https://github.com/w3ctag/design-reviews/issues/1020
TAG review status
Pending
Risks
Interoperability and Compatibility
As a new feature, it has no particular compatibility issues.
In terms of interop, this feature was discussed
<https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-11-20-minutes.md#subresource-reporting-and-csp>
at a WebAppSec meeting, and Apple folks were involved in the review.
/Gecko/: No signal
(https://github.com/mozilla/standards-positions/issues/1129)
/WebKit/: No signal
(https://github.com/WebKit/standards-positions/issues/430)
/Web developers/: Positive
(https://github.com/w3c/webappsec-csp/pull/693#issuecomment-2501689386)
Shopify as well as Google Security are interested in this.
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
https://wpt.fyi/results/content-security-policy/report-hash?label=experimental&label=master&aligned
<https://wpt.fyi/results/content-security-policy/report-hash?label=experimental&label=master&aligned>
Flag name on about://flags
CSPReportHash
Finch feature name
CSPReportHash
Requires code in //chrome?
False
Tracking bug
https://issues.chromium.org/issues/377830102
Estimated milestones
Shipping on desktop 133
Shipping on Android 133
Shipping on WebView 133
Anticipated spec changes
Open questions about a feature may be a source of future web compat or
interop issues. Please list open issues (e.g. links to known github
issues in the project for the feature specification) whose resolution
may introduce web compat/interop risk (e.g., changing to naming or
structure of the API in a non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6337535507431424?gate=5971079770931200
Links to previous Intent discussions
Intent to Prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B9jsqee5LYD5GaikgrEjMKBBziAecNomCd95iBkj6t7g%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B9jsqee5LYD5GaikgrEjMKBBziAecNomCd95iBkj6t7g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9bc8c39b-cf96-4424-9a71-cf44621f7978%40chromium.org.
