Design Review #1020

#1020: CSP report-hash keyword

Opened Nov 26, 2024

こんにちは TAG-さん!

I'm requesting a TAG review of CSP hash reporting.

Complex web applications often need to keep tabs of the subresources that they download, for security purposes.

In particular, upcoming industry standards and best practices (e.g. PCI-DSS v4 - context) require that web applications keep an inventory of all the scripts they download and execute.

This feature is a new CSP keyword, that would enable web developers to create and maintain such inventories in a secure manner.

Explainer¹: https://github.com/w3c/webappsec-csp/pull/693#issue-2692363906
Specification: https://github.com/w3c/webappsec-csp/pull/693
WPT Tests: https://chromium-review.googlesource.com/c/chromium/src/+/6038298/11/third_party/blink/web_tests/external/wpt/content-security-policy/report-hash.https.html
User research: N/A
Security and Privacy self-review²: https://gist.github.com/yoavweiss/911099e2e28ac2917ba342283243f698
GitHub repo: https://github.com/w3c/webappsec-csp
Primary contacts:
- Yoav Weiss (@yoavweiss), Shopify, implementer
Organization/project driving the specification: Shopify
Multi-stakeholder support³:
- Chromium comments: https://groups.google.com/a/chromium.org/g/blink-dev/c/FAnsVyszxQ4/m/vG2qKw8YCQAJ
- Mozilla comments: https://github.com/mozilla/standards-positions/issues/1129
- WebKit comments: https://github.com/WebKit/standards-positions/issues/NNN
- {{...include feedback/review from developers, implementers, civil society, and others}}
Status/issue trackers for implementations⁴:
- https://chromestatus.com/feature/6337535507431424

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines: As the relevant security standards go into effect in March 2025, I'd like to ship this in the next month or so.
The group where the work on this specification is currently being done: WebAppSec
The group where standardization of this work is intended to be done (if different from the current group):
Major unresolved issues with or opposition to this specification:
This work is being funded by: Shopify

You should also know that this work is critical for PCI-DSS v4 - context.

Discussions

Discussed Mar 1, 2025 (See Github)

Martin: we've discussed... we think this is fine... We minuted the thing last week...

Marcos: yeah.. this is fine.. though didn't directly address the particular use case..

Martin: I think we can give them that feedback..

Thanks for bringing this here. We think that this is a pretty good feature that will help people deploy SRI.

We do note that the use cases you raise isn't directly addressed by this. It is more directly addressed by SRI itself, which caused us some trouble. Maybe you can update the documentation to more accurately reflect the chain of logic you need to follow to get from the mechanism to the use case.

we agree to post the above comment and close with 'satisfied'

Comment by @hadleybeeman Mar 24, 2025 (See Github)

Big apologies, @yoavweiss. Somehow this fell through our cracks! We are very sorry. We will take it up now, and hopefully get back to you soon.

Comment by @martinthomson Apr 2, 2025 (See Github)

Thanks for bringing this here @yoavweiss. We think that this is a pretty good feature that will help people deploy SRI.

We do note that the use cases you raise isn't directly addressed by this. It is more directly addressed by SRI itself, which caused us some trouble in reviewing. Maybe you can update the documentation to more accurately reflect the chain of logic you need to follow to get from the mechanism to the use case.