Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 5 users
Status: Fixed
Owner:
Closed: Apr 10
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, Windows, Chrome, Mac
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----
Product-Review: ----



Sign in to add a comment
CSP hash expressions can match external scripts.
Project Member Reported by mkwst@chromium.org, Mar 29 Back to list
Change description:
CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.

Links:
Public standards discussion: https://w3c.github.io/webappsec-csp/#external-hash

Support in other browsers:
Internet Explorer: No comment.
Firefox: None (though supportive on https://github.com/w3c/webappsec-csp/issues/78)
Safari: No comment.
 
Project Member Comment 1 by bugdroid1@chromium.org, Apr 7
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/95c2d0890691fd854623b81bdd12037895987d18

commit 95c2d0890691fd854623b81bdd12037895987d18
Author: treib <treib@chromium.org>
Date: Fri Apr 07 16:18:27 2017

CSP: Enable whitelisting of external JavaScript via hashes

See https://w3c.github.io/webappsec-csp/#external-hash

Intent to Implement and Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/t2ai4lsHhWI/MndrZyEWCwAJ

BUG= 706380 

Review-Url: https://codereview.chromium.org/2784753003
Cr-Commit-Position: refs/heads/master@{#462883}

[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/crossoriginScript.js
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/crossoriginScript.js.headers
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/externalScript.js
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp

Status: Fixed
This is done, marking Fixed.

mkwst, please intervene if I'm bypassing some process here.
Sign in to add a comment