LGTM3 On Wed, Dec 11, 2024, 9:26 AM Chris Harrelson <chris...@chromium.org> wrote:
> LGTM2 > > On Mon, Dec 9, 2024 at 5:02 AM Mike Taylor <miketa...@chromium.org> wrote: > >> Thanks for working on this - LGTM1 >> On 12/9/24 8:05 PM, Yoav Weiss (@Shopify) wrote: >> >> Contact emails yoavwe...@chromium.org >> >> Explainer https://github.com/w3c/webappsec-csp/pull/693#issue-2692363906 >> >> Specification https://github.com/w3c/webappsec-csp/pull/693 >> >> Summary >> >> Complex web applications often need to keep tabs of the subresources that >> they download, for security purposes. In particular, upcoming industry >> standards and best practices (e.g. PCI-DSS v4) require that web >> applications keep an inventory of all the scripts they download and >> execute. This feature builds on CSP and the Reporting API to report the >> URLs and hashes (for CORS/same-origin) of all the script resources that the >> document loads. >> >> >> Blink component Blink>SecurityFeature >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22> >> >> TAG review https://github.com/w3ctag/design-reviews/issues/1020 >> >> TAG review status Pending >> >> Risks >> >> >> Interoperability and Compatibility >> >> As a new feature, it has no particular compatibility issues. >> >> In terms of interop, this feature was discussed >> <https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-11-20-minutes.md#subresource-reporting-and-csp> >> at a WebAppSec meeting, and Apple folks were involved in the review. >> >> >> *Gecko*: No signal ( >> https://github.com/mozilla/standards-positions/issues/1129) >> >> *WebKit*: No signal ( >> https://github.com/WebKit/standards-positions/issues/430) >> >> *Web developers*: Positive ( >> https://github.com/w3c/webappsec-csp/pull/693#issuecomment-2501689386) >> Shopify as well as Google Security are interested in this. >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> None >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? Yes >> >> >> https://wpt.fyi/results/content-security-policy/report-hash?label=experimental&label=master&aligned >> >> >> Flag name on about://flags CSPReportHash >> >> Finch feature name CSPReportHash >> >> Requires code in //chrome? False >> >> Tracking bug https://issues.chromium.org/issues/377830102 >> >> Estimated milestones >> Shipping on desktop 133 >> Shipping on Android 133 >> Shipping on WebView 133 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/6337535507431424?gate=5971079770931200 >> >> Links to previous Intent discussions Intent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK_3rddBZ16wCBCuJR3f2a9%3DGSWDH-azFbmHi5dQK%2BPqw%40mail.gmail.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B9jsqee5LYD5GaikgrEjMKBBziAecNomCd95iBkj6t7g%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2B9jsqee5LYD5GaikgrEjMKBBziAecNomCd95iBkj6t7g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9bc8c39b-cf96-4424-9a71-cf44621f7978%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9bc8c39b-cf96-4424-9a71-cf44621f7978%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_Q5LMwCw6fe3Low7AQZUwV0AJMuFM9VTCQYZZAqGUSHw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_Q5LMwCw6fe3Low7AQZUwV0AJMuFM9VTCQYZZAqGUSHw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA44PQj3G8TrKRsCjQe09ATozFVdfdFK0DP0%2B3NH8rWN9cTf2g%40mail.gmail.com.
