Other Spec Review: Extend CSP script-src hashes

[meacer]

Specification

w3c/webappsec-csp@main...carlosjoan91:webappsec-csp:main

Explainer

https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md

Links

• Previous early design review, if any: N/A
• An introduction to the feature, aimed at unfamiliar audiences: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#deployment-use-case-examples
• A description of the problems that end-users were facing before this proposal: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#use-cases
• Alternatives considered: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#considered-alternatives
• Examples of how to use the proposal to solve the end-users' problems: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#proposed-solution
• What do the end-users experience with this proposal: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#proposed-solution
• User research you did to validate the problem and/or design, if any: N/A
• Web Platform Tests:
  • https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/content-security-policy/script-src/tentative/
  • https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/tentative/
  • https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/virtual/script-src-hashes-v1-enabled/

The specification

• Follows the Web Platform Design Principles.
• Includes Security and Privacy Considerations sections based on answers to the Security/Privacy Questionnaire.

Where and by whom is the work is being done?

• GitHub repo:
• Primary contacts:
  • @carlosjoan91 (Google), @meacer (Google)
• Organization/project driving the specification: Google
• This work is being funded by: Google
• Primary standards group developing this feature: N/A
• Group intended to standardize this work: WebAppSec
• Incubation and standards groups that have discussed the design:
  • https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-04-16-minutes.md

Feedback so far

• Multi-stakeholder feedback:
  • Chromium comments: https://chromestatus.com/feature/5196368819519488
  • Mozilla comments: Extend CSP script-src hashes mozilla/standards-positions#1277
  • WebKit comments: Extend CSP script-src hashes WebKit/standards-positions#535
• Major unresolved issues with or opposition to this specification:
• Status/issue trackers for implementations: https://chromestatus.com/feature/5196368819519488

You should also know that...

No response

---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1128

[martinthomson]

@carlosjoan91, could you at least open a pull request on the spec? w3c/webappsec-csp@main...carlosjoan91:webappsec-csp:main is far from a stable reference (not that a pull request is materially different, but we've become accustomed to that). A pull request at least signals that you are actively engaging with the spec editors and anyone who is watching.

[carlosjoan91]

Sure, I created w3c/webappsec-csp#784. I wasn't sure about the timeline for creating a PR and whether that should come before/after TAG review.