#1128: Other Spec Review: Extend CSP script-src hashes

Visit on Github.

Opened Jul 31, 2025

Specification

https://github.com/w3c/webappsec-csp/compare/main...carlosjoan91:webappsec-csp:main

Explainer

https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md

Links

The specification

Where and by whom is the work is being done?

  • GitHub repo:
  • Primary contacts:
    • @carlosjoan91 (Google), @meacer (Google)
  • Organization/project driving the specification: Google
  • This work is being funded by: Google
  • Primary standards group developing this feature: N/A
  • Group intended to standardize this work: WebAppSec
  • Incubation and standards groups that have discussed the design:

Feedback so far

You should also know that...

No response

<!-- Content below this is maintained by @w3c-tag-bot -->

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1128

Discussions

Log in to see TAG-private discussions.

Discussed Aug 11, 2025 (See Github)

bump to C please

Discussed Aug 18, 2025 (See Github)

Ehsan: Had an initial review, Jeffrey and Martin got back to me. Had a conversation to make a decision on that. Needs more clarification from them. This is progressing, for now.

Martin: Took a brief look at it, explainer is poorly written. Doesn't really explain the how and why.

Ehsan: Looks more like a brainstorming document. Doesn't come to a single proposal.

Hadley: It's totally fair to say that to the proponents, and having them come back.

Ehsan: I would respond to Jeffrey and once he has feedback for me, and ask them to make the explainer more clear. If that looks sensible?

Hadley: Yes. There's a label for "too early," which might be appropriate here.

Comment by @martinthomson Aug 20, 2025 (See Github)

@carlosjoan91, could you at least open a pull request on the spec? https://github.com/w3c/webappsec-csp/compare/main...carlosjoan91:webappsec-csp:main is far from a stable reference (not that a pull request is materially different, but we've become accustomed to that). A pull request at least signals that you are actively engaging with the spec editors and anyone who is watching.

Comment by @carlosjoan91 Aug 20, 2025 (See Github)

Sure, I created https://github.com/w3c/webappsec-csp/pull/784. I wasn't sure about the timeline for creating a PR and whether that should come before/after TAG review.