#1128: Other Spec Review: Extend CSP script-src hashes

Visit on Github.

Opened Jul 31, 2025

Specification

https://github.com/w3c/webappsec-csp/compare/main...carlosjoan91:webappsec-csp:main

Explainer

https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md

Links

The specification

Where and by whom is the work is being done?

  • GitHub repo:
  • Primary contacts:
    • @carlosjoan91 (Google), @meacer (Google)
  • Organization/project driving the specification: Google
  • This work is being funded by: Google
  • Primary standards group developing this feature: N/A
  • Group intended to standardize this work: WebAppSec
  • Incubation and standards groups that have discussed the design:

Feedback so far

You should also know that...

No response

<!-- Content below this is maintained by @w3c-tag-bot -->

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1128

Discussions

Log in to see TAG-private discussions.

Discussed Aug 11, 2025 (See Github)

bump to C please

Discussed Aug 18, 2025 (See Github)

Ehsan: Had an initial review, Jeffrey and Martin got back to me. Had a conversation to make a decision on that. Needs more clarification from them. This is progressing, for now.

Martin: Took a brief look at it, explainer is poorly written. Doesn't really explain the how and why.

Ehsan: Looks more like a brainstorming document. Doesn't come to a single proposal.

Hadley: It's totally fair to say that to the proponents, and having them come back.

Ehsan: I would respond to Jeffrey and once he has feedback for me, and ask them to make the explainer more clear. If that looks sensible?

Hadley: Yes. There's a label for "too early," which might be appropriate here.

Comment by @martinthomson Aug 20, 2025 (See Github)

@carlosjoan91, could you at least open a pull request on the spec? https://github.com/w3c/webappsec-csp/compare/main...carlosjoan91:webappsec-csp:main is far from a stable reference (not that a pull request is materially different, but we've become accustomed to that). A pull request at least signals that you are actively engaging with the spec editors and anyone who is watching.

Comment by @carlosjoan91 Aug 20, 2025 (See Github)

Sure, I created https://github.com/w3c/webappsec-csp/pull/784. I wasn't sure about the timeline for creating a PR and whether that should come before/after TAG review.

Discussed Aug 25, 2025 (See Github)

Ehsan: Think we discussed last week too; generally happy with the purpose of the spec, though the explainer is not in a good shape. I have asked them @@@@@@@ if they can clarify the explainer. We are discussing in the private thread. Martin and Jeffrey had comments/clarification requests. I think we're waiting for Jeffrey to have a look at my response.

Discussed Sep 8, 2025 (See Github)

Ehsan: I submitted my review and internally discussed. Waiting for final go from Jeffrey. More or less there.

Discussed Sep 29, 2025 (See Github)

Ehsan: I posted my initial draft comment, waiting for Jeffrey to comment on it. No update for three weeks. Matthew: I think we should ping Jeffrey. Ehsan: Main issue with this is that there are some issues, at this stage the explainer is messy in many ways. Maybe that’s the first thing I want to raise, if they can properly edit the explainer. For the other concerns, I will ping Jeffrey. Matthew: Think we can do something with this, as you have more detailed technical points. We should get them something. Sympathetic about your comment regarding the explainer. We could hint to the explainer explainer. If there are specific suggestions, we can support them to improve it. Can you draft it as a private comment? We should be able to get thumbs-ups quicky. We should also apologize for the delay. Ehsan: I like that idea.

Discussed Oct 6, 2025 (See Github)

Jeffrey: The point is solid, but we need another iteration on the comment.