You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This feature adds a new CSP directive "report-hash", which triggers a new reporting type "csp-hash-report".
It reports hashes for (same-origin or CORS enabled) scripts that are loaded in the context of the document (regardless of their "integrity" attribute), and sends reports about them.
Those reports enable developers to:
Create inventory of the scripts running on their page. (critical for PCI-DSS v4 - context.)
Have certainty that they can enable SRI or CSP hash-based enforcement without breaking their sites. For some hash-based enforcement, we'd also need to add reporting for inline scripts, evals, event handlers and javascript URLs that are not covered by the current spec PR.
The text was updated successfully, but these errors were encountered:
yoavweiss
changed the title
CSP report-hash directive
CSP report-hash keyword
Dec 6, 2024
yoavweiss
changed the title
CSP report-hash keyword
CSP hash reporting keywords
Dec 6, 2024
WebKittens
@annevk
Title of the proposal
Hash reporting for scripts
URL to the spec
w3c/webappsec-csp#693
URL to the spec's repository
https://github.com/w3c/webappsec-csp/
Issue Tracker URL
No response
Explainer URL
w3c/webappsec-csp#693 (comment)
TAG Design Review URL
w3ctag/design-reviews#1020
Mozilla standards-positions issue URL
mozilla/standards-positions#1129
WebKit Bugzilla URL
No response
Radar URL
No response
Description
This feature adds a new CSP directive "report-hash", which triggers a new reporting type "csp-hash-report".
It reports hashes for (same-origin or CORS enabled) scripts that are loaded in the context of the document (regardless of their "integrity" attribute), and sends reports about them.
Those reports enable developers to:
The text was updated successfully, but these errors were encountered: