New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users

Issue metadata

Status: Fixed
Closed: Apr 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----

Sign in to add a comment

CSP hash expressions can match external scripts.

Project Member Reported by, Mar 29 2017 Back to list

Issue description

Change description:
CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.

Public standards discussion:

Support in other browsers:
Internet Explorer: No comment.
Firefox: None (though supportive on
Safari: No comment.
Project Member

Comment 1 by, Apr 7 2017

The following revision refers to this bug:

commit 95c2d0890691fd854623b81bdd12037895987d18
Author: treib <>
Date: Fri Apr 07 16:18:27 2017

CSP: Enable whitelisting of external JavaScript via hashes


Intent to Implement and Ship:

BUG= 706380 

Cr-Commit-Position: refs/heads/master@{#462883}


Comment 2 by, Apr 10 2017

Status: Fixed (was: Assigned)
This is done, marking Fixed.

mkwst, please intervene if I'm bypassing some process here.

Sign in to add a comment