Extend CSP script-src hashes

[carlosjoan91]

This implements the work described in w3ctag/design-reviews#1128

---

Preview | Diff

[mikewest]

Hey Carlos, thanks for the PR. I took a quick pass through and have a few questions.

That said, as we move CSP into a more stable maintenance model, we're going to be a little stricter about what we land in the spec to ensure that we have support from implementers, reasonably solid tests, etc. Can you help me understand the current state of the feature from that perspective?

[mikewest]

I don't understand the point of serializing and then splitting. Could you more simply access the URL's path, which is already either a single segment or a list of segments? I think that dropping the last item off the list (assuming it's non-empty) would address 5, and get you something similar to what you get with the serializing/splitting.

[mikewest]

Can you help me understand the value of the check here? I think the goal is to specify what to hash in a way that's consistent across pages, but I don't understand why, for example, it's better to build a relative path than to hash the absolute path. Is the deployment story impacted one way or the other?

[mikewest]

It might make sense to rely on https://infra.spec.whatwg.org/#string-concatenate to construct |result|, which would let you consolidate 15.* and 16.

[carlosjoan91]

Ack, I'll add a commit that switches to it

[mikewest]

What is this hash referring to? It's not script.js, /script.js, or https://example.com/script.js, so I feel like I'm missing something.

[mikewest]

I'm not sure I understands this step. If a url-hash-source expression is present, won't it be checked exhaustively in step 3, returning Allowed if it matches? We only get here when that expression doesn't match, in which case I'm not sure I understand why we ignore the rest of the source list checks. Do these expressions exclude other source list checks (non-URL hashes, for instance)?

[carlosjoan91]

I'll let @meacer correct me since he worked more on this section, but I think the intention is to ignore hosts if any URL hashes are set

[dveditz]

From Mike's comment up top (#784 (review))

That said, as we move CSP into a more stable maintenance model, we're going to be a little stricter about what we land in the spec [...]

Part of that is that we need to have an issue in this repo, not TAG, where we can discuss and track the proposal before we ever get to landing a PR for it.

[carlosjoan91]

Hey Carlos, thanks for the PR. I took a quick pass through and have a few questions.
Hey Mike, thanks for reviewing. I'm sorry about the delay, my default email for github notifications was set to one that I don't monitor, I've fixed it now. I left two of your questions unresolved because I think @meacer will have more context as he worked on the URL hashes section more than I did.

That said, as we move CSP into a more stable maintenance model, we're going to be a little stricter about what we land in the spec to ensure that we have support from implementers, reasonably solid tests, etc. Can you help me understand the current state of the feature from that perspective?

Our intention is to do an origin trial in Chrome 141, so this is currently fully implemented in Chrome (behind a runtime enabled feature), and we have some tentative WPTs (under https://github.com/web-platform-tests/wpt/tree/master/content-security-policy/script-src/tentative), as far as other implementers we have filed position requests, but have not received responses yet.

[carlosjoan91]

From Mike's comment up top (#784 (review))

That said, as we move CSP into a more stable maintenance model, we're going to be a little stricter about what we land in the spec [...]

Part of that is that we need to have an issue in this repo, not TAG, where we can discuss and track the proposal before we ever get to landing a PR for it.

I think I might be misunderstanding the order of things. I had originally assumed that TAG review should happen before the PR can land (in fact I originally requested TAG review before even creating a PR, and just pointed the TAG review request to a diff, but a PR was requested as part of TAG review).

Is the correct order to handle discussions directly in the repo and get the PR landed (or maybe approved but not landed) before requesting TAG review?