Bug 285292
| Summary: | Implement CSP Hash Reporting keywords | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Yoav Weiss <yoav> |
| Component: | New Bugs | Assignee: | Yoav Weiss <yoav> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, m_finkel, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Yoav Weiss
Relevant position - https://github.com/WebKit/standards-positions/issues/430
CSP was recently added new `report-sha256`, `report-sha384` and `report-sha512` keywords - https://github.com/w3c/webappsec-csp/pull/693/files
These new keywords trigger a new reporting type "hash-report".
It reports hashes for (same-origin or CORS enabled) scripts that are loaded in the context of the document (regardless of their "integrity" attribute), and sends reports about them.
Those reports enable developers to:
* Create inventory of the scripts running on their page. (critical for PCI-DSS v4 - context.)
* Have certainty that they can enable SRI or CSP hash-based enforcement without breaking their sites. The current PR only covers external scripts. We may want to extend the feature in the future to cover inline scripts, evals, event handlers and javascript URLs.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Yoav Weiss
Pull request: https://github.com/WebKit/WebKit/pull/38282
EWS
Committed 288506@main (70d6fcb9fc88): <https://commits.webkit.org/288506@main>
Reviewed commits have been landed. Closing PR #38282 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/142458671>