From d8953ae98bc757355dcd6aa889ef67b90135ade5 Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Mon, 24 Nov 2025 19:22:39 -0500 Subject: [PATCH 1/3] Add 'unsafe-webtransport-hashes' keyword to connect-src --- index.bs | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 748280acce..81b7f02e81 100644 --- a/index.bs +++ b/index.bs @@ -696,7 +696,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity / "'report-sample'" / "'unsafe-allow-redirects'" / "'wasm-unsafe-eval'" / "'trusted-types-eval'" / "'report-sha256'" / "'report-sha384'" - / "'report-sha512'" + / "'report-sha512'" / "'unsafe-webtransport-hashes'" ISSUE: Bikeshed `unsafe-allow-redirects`. @@ -2220,9 +2220,15 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-request-to-source-list]] on |request|, this directive's value, and - |policy|, is "`Does Not Match`", return "`Blocked`". + |policy|, is "`Matches`", return "`Allowed`". - 4. Return "`Allowed`". + 4. If |request|'s [=request/mode=] is "`webtransport`", |request|'s + unsafe-webtransport-hashes flag is set, and + the result of executing [[#allow-unsafe-webtransport-hashes]] + on this directive's value, is "`Matches`", + return "`Allowed`". + + 6. Return "`Blocked`".
`connect-src` Post-request check @@ -4262,6 +4268,27 @@ Content-Type: application/reports+json 9. Return "`Matches`". +
+ Does a source list allow unsafe WebTransport hashes? +
+ + A source list + allows unsafe WebTransport hashes + if it contains the `keyword-source` + expression `'unsafe-webtransport-hashes'`, as described in the following + algorithm: + + Given a source list |list|, the following + algorithm returns "`Allows`" if allowed and "`Does Not Allow`" otherwise. + + 1. For each |expression| of |list|: + + 1. If |expression| is an ASCII case-insensitive match for the + `keyword-source` "`'unsafe-webtransport-hashes'`", + return "`Allows`". + + 2. Return "`Does Not Allow`". +

Element Matching Algorithms

From 5cfea89f253779e8fe308a7cef8ceaf4b2789483 Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Mon, 24 Nov 2025 19:58:41 -0500 Subject: [PATCH 2/3] fix line number --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 81b7f02e81..49267107a8 100644 --- a/index.bs +++ b/index.bs @@ -2228,7 +2228,7 @@ Content-Type: application/reports+json on this directive's value, is "`Matches`", return "`Allowed`". - 6. Return "`Blocked`". + 5. Return "`Blocked`".
`connect-src` Post-request check From d0d230a872f99bfbca1fd4908d6d72ec42a6f9cc Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Tue, 25 Nov 2025 15:18:20 -0500 Subject: [PATCH 3/3] Address review feedback --- index.bs | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/index.bs b/index.bs index 49267107a8..8731352dbd 100644 --- a/index.bs +++ b/index.bs @@ -2215,20 +2215,23 @@ Content-Type: application/reports+json 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. - 2. If the result of executing [[#should-directive-execute]] on |name|, + 1. If the result of executing [[#should-directive-execute]] on |name|, `connect-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and - |policy|, is "`Matches`", return "`Allowed`". + 1. Let |source list| be directive's value. - 4. If |request|'s [=request/mode=] is "`webtransport`", |request|'s - unsafe-webtransport-hashes flag is set, and - the result of executing [[#allow-unsafe-webtransport-hashes]] - on this directive's value, is "`Matches`", - return "`Allowed`". + 1. If the result of executing [[#match-request-to-source-list]] on + |request|, |source list|, and |policy|, is "`Matches`", return + "`Allowed`". + + 1. If |request|'s [=request/mode=] is "`webtransport`", |request|'s + unsafe-webtransport-hashes is not empty, and + |source list| [=list/contains=] a source expression which + is an ASCII case-insensitive match for the + `keyword-source` + "`'unsafe-webtransport-hashes'`", return "`Allowed`". - 5. Return "`Blocked`". + 1. Return "`Blocked`".
`connect-src` Post-request check @@ -2242,14 +2245,23 @@ Content-Type: application/reports+json 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. - 2. If the result of executing [[#should-directive-execute]] on |name|, + 1. If the result of executing [[#should-directive-execute]] on |name|, `connect-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-response-to-source-list]] on - |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + 1. Let |source list| be directive's value. - 4. Return "`Allowed`". + 1. If the result of executing [[#match-response-to-source-list]] on + |response|, |request|, |source list|, and |policy|, is "`Matches`", + return "`Allowed`". + + 1. If |request|'s [=request/mode=] is "`webtransport`", |request|'s + unsafe-webtransport-hashes is not empty, and + |source list| [=list/contains=] a source expression which + is an ASCII case-insensitive match for the + `keyword-source` + "`'unsafe-webtransport-hashes'`", return "`Allowed`". + + 1. Return "`Blocked`".

`default-src`