CSP hash reporting keywords

[yoavweiss]

WebKittens

@annevk

Title of the proposal

CSP: hash reporting for scripts

URL to the spec

w3c/webappsec-csp#693

URL to the spec's repository

https://github.com/w3c/webappsec-csp/

Issue Tracker URL

No response

Explainer URL

w3c/webappsec-csp#693 (comment)

TAG Design Review URL

w3ctag/design-reviews#1020

Mozilla standards-positions issue URL

mozilla/standards-positions#1129

WebKit Bugzilla URL

No response

Radar URL

No response

Description

This feature adds a new CSP directive "report-hash", which triggers a new reporting type "csp-hash-report".
It reports hashes for (same-origin or CORS enabled) scripts that are loaded in the context of the document (regardless of their "integrity" attribute), and sends reports about them.

Those reports enable developers to:

• Create inventory of the scripts running on their page. (critical for PCI-DSS v4 - context.)
• Have certainty that they can enable SRI or CSP hash-based enforcement without breaking their sites. For some hash-based enforcement, we'd also need to add reporting for inline scripts, evals, event handlers and javascript URLs that are not covered by the current spec PR.

[yoavweiss]

Relevant WebKit bug

[annevk]

@yoavweiss do you know what happened with these comments from mt? w3c/webappsec-csp#693 (review)

[sysrqb]

I asked a clarifying question in w3c/webappsec-csp#693 (comment), and Yoav responded w3c/webappsec-csp#693 (comment).

In particular, we understand the theoretical benefit of this feature, and it could reduce the burden of adoption and maintaining CSP hashes, but I'm concerned that this will either be:

1. abused for automatically updating the digests, such that sites adopt CSP hash policies but don't actively track/audit hash changes
2. will only be used by a few large organizations, therefore only reducing their maintenance burden while not increasing overall adoption on the web

(2) is not bad, by itself, but reactively updating hashes will surely negatively impact usability.

Overall, I'm neutral on this proposal, and we will update WebKit's official position in 1 week unless anyone objects in the meantime.

[yoavweiss]

@yoavweiss do you know what happened with these comments from mt? w3c/webappsec-csp#693 (review)

Apologies for missing this (and mt's comments). The comments seem editorial in nature, and arrived after the PR has landed. I'll address them. Thanks for pointing them out! :)