Hash encodings should be converted to UTF-8 #109
Description
I was taking a brief look at the CSP 3 script/style hash definitions, and it seems to get the sources for computing a digest on directly from the HTML spec. For example, https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script step 11 calls https://w3c.github.io/webappsec-csp/#match-element-to-source-list.
However, in the HTML spec, these sources (such as textContext) are, I believe UTF-16. In practice, this contradicts UA behavior. Chrome (and I believe Firefox as well) explicitly converts source to UTF-8 before computing the digest. See https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp?sq=package:chromium&rcl=1471966011&l=466. While an argument could be made that the UAs should change, this has been their behavior for several years now, and changing the UTF-8 conversion to UTF-16 could potentially break a number of sites (although that's measurable, I suppose). The simplest solution, it seems to me, is to add an explicit UTF-8 conversion in the CSP spec.