RESOLVED FIXED285292
Implement CSP Hash Reporting keywords 
https://bugs.webkit.org/show_bug.cgi?id=285292
Summary Implement CSP Hash Reporting keywords
Yoav Weiss
Reported 2025-01-01 23:34:08 PST
Relevant position - https://github.com/WebKit/standards-positions/issues/430 CSP was recently added new `report-sha256`, `report-sha384` and `report-sha512` keywords - https://github.com/w3c/webappsec-csp/pull/693/files These new keywords trigger a new reporting type "hash-report". It reports hashes for (same-origin or CORS enabled) scripts that are loaded in the context of the document (regardless of their "integrity" attribute), and sends reports about them. Those reports enable developers to: * Create inventory of the scripts running on their page. (critical for PCI-DSS v4 - context.) * Have certainty that they can enable SRI or CSP hash-based enforcement without breaking their sites. The current PR only covers external scripts. We may want to extend the feature in the future to cover inline scripts, evals, event handlers and javascript URLs.
Attachments
Add attachment proposed patch, testcase, etc.
Yoav Weiss
Comment 1 2025-01-02 00:24:41 PST
Pull request: https://github.com/WebKit/WebKit/pull/38282
EWS
Comment 2 2025-01-06 22:03:38 PST
Committed 288506@main (70d6fcb9fc88): <https://commits.webkit.org/288506@main> Reviewed commits have been landed. Closing PR #38282 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2025-01-06 22:04:20 PST
<rdar://problem/142458671>
Note You need to log in before you can comment on or make changes to this bug.