I'm requesting a TAG review of CSP hash reporting.
Complex web applications often need to keep tabs of the subresources that they download, for security purposes.
In particular, upcoming industry standards and best practices (e.g. PCI-DSS v4 - context) require that web applications keep an inventory of all the scripts they download and execute.
This feature is a new CSP keyword, that would enable web developers to create and maintain such inventories in a secure manner.
Relevant time constraints or deadlines: As the relevant security standards go into effect in March 2025, I'd like to ship this in the next month or so.
The group where the work on this specification is currently being done: WebAppSec
The group where standardization of this work is intended to be done (if different from the current group):
Major unresolved issues with or opposition to this specification:
This work is being funded by: Shopify
You should also know that this work is critical for PCI-DSS v4 - context.
OpenedNov 26, 2024
こんにちは TAG-さん!
I'm requesting a TAG review of CSP hash reporting.
Complex web applications often need to keep tabs of the subresources that they download, for security purposes.
In particular, upcoming industry standards and best practices (e.g. PCI-DSS v4 - context) require that web applications keep an inventory of all the scripts they download and execute.
This feature is a new CSP keyword, that would enable web developers to create and maintain such inventories in a secure manner.
Further details:
You should also know that this work is critical for PCI-DSS v4 - context.