New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 706380 link

Starred by 5 users
Status: Fixed
Owner:
treib@chromium.org
Closed: Apr 2017
Cc:
mkwst@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----



Sign in to add a comment

CSP hash expressions can match external scripts.

Project Member Reported by mkwst@chromium.org, Mar 29 2017 
Change description:
CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.

Links:
Public standards discussion: https://w3c.github.io/webappsec-csp/#external-hash

Support in other browsers:
Internet Explorer: No comment.
Firefox: None (though supportive on https://github.com/w3c/webappsec-csp/issues/78)
Safari: No comment.
Project Member

Comment 1 by bugdroid1@chromium.org, Apr 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/95c2d0890691fd854623b81bdd12037895987d18

commit 95c2d0890691fd854623b81bdd12037895987d18
Author: treib <treib@chromium.org>
Date: Fri Apr 07 16:18:27 2017

CSP: Enable whitelisting of external JavaScript via hashes

See https://w3c.github.io/webappsec-csp/#external-hash

Intent to Implement and Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/t2ai4lsHhWI/MndrZyEWCwAJ

BUG= 706380 

Review-Url: https://codereview.chromium.org/2784753003
Cr-Commit-Position: refs/heads/master@{#462883}

[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/crossoriginScript.js
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/crossoriginScript.js.headers
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/externalScript.js
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html
[add] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/95c2d0890691fd854623b81bdd12037895987d18/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp

Comment 2 by treib@chromium.org, Apr 10 2017

Status: Fixed (was: Assigned)
This is done, marking Fixed.

mkwst, please intervene if I'm bypassing some process here.

Sign in to add a comment