From 44b234ab5d84a24a68a151e74c45a8bb0b81a9ef Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 22 Nov 2024 12:19:14 +0100 Subject: [PATCH 01/18] Rough sketch of CSP report-hash --- index.bs | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/index.bs b/index.bs index cc418b6a0d..f5e6aed941 100644 --- a/index.bs +++ b/index.bs @@ -1082,6 +1082,21 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/ 2. If |policy|'s disposition is "`enforce`", then set |result| to "`Blocked`". + 2. If |directive| is [=`report-hash`=] and |request|'s [=request/destination=] matches + the |directive|'s [=directive/value=], then: + 1. Let |hash| be the empty [=string=]. + 1. If |request| is CORS enabled, set |hash| to the result of [=applying algorithm to bytes=] on response's bytes and "sha-256". + 1. Let |body| be a [=csp hash report body=] with the current document' URL as its [=documentURL=], + |request|'s URL as its [=subresourceURL=] and |hash| as its [=hash=]. + 1. [=Generate and queue a report=] with the following arguments: + : context + :: |settings object| + : type + :: "csp-hash" + : destination + :: |directive|'s value. + : data + :: |body| Note: This portion of the check verifies that the page can load the response. That is, that a Service Worker hasn't substituted a file which @@ -1593,6 +1608,19 @@ this algorithm returns normally if compilation is allowed, and throws a }; + When a [=`report-hash`=] directive is present, csp hash report may be generated + and sent out to a reporting endpoint associated with the policy. + +

csp hash reports have the report type "csp-hash".

+ +

csp violation reports are not visible to + ReportingObservers. + +

A csp hash report body is a [=struct=] with the following fields: + documentURL, + subresourceURL, + hash. +

Violation DOM Events

@@ -3630,6 +3658,17 @@ this algorithm returns normally if compilation is allowed, and throws a directive-value = token +

`report-hash`

+ + The `report-hash` directive signifies that script hash reports + should be sent to reporting endpoints [[REPORTING]]. The + directive's name and value are described by the following ABNF: + + 
+    directive-name  = "report-hash"
+    directive-value = token
+
+

Directives Defined in Other Documents

From 2d0ba6c69b907c9fce5855341150f1b5d2b51e7f Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Mon, 25 Nov 2024 22:39:16 +0100 Subject: [PATCH 02/18] Spec builds --- index.bs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index f5e6aed941..a26bd13b4b 100644 --- a/index.bs +++ b/index.bs @@ -164,6 +164,10 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/ type:dfn text: administratively-prohibited; url: #dfn-administratively-prohibited +spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity + type:dfn; + text:applying algorithm to bytes; url: #apply-algorithm-to-response + 
 {
@@ -1090,7 +1094,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
                   |request|'s URL as its [=subresourceURL=] and |hash| as its [=hash=].
               1.  [=Generate and queue a report=] with the following arguments:
                   :   context
-                  ::  |settings object|
+                  ::  settings object
                   :   type
                   ::  "csp-hash"
                   :   destination

From 2afde7fc54bf0443251487de13b881477aebecea Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Tue, 26 Nov 2024 10:25:54 +0100
Subject: [PATCH 03/18] Add a type and tighten the language

---
 index.bs | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/index.bs b/index.bs
index a26bd13b4b..80e3004bbc 100644
--- a/index.bs
+++ b/index.bs
@@ -186,7 +186,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
   "REPORTING": {
     "href": "https://wicg.github.io/reporting/",
     "title": "Reporting API",
-    "authors": [ "Ilya Gregorik", "Mike West" ]
+    "authors": [ "Ilya Grigorik", "Mike West" ]
   },
   "TIMING": {
       "href": "https://owasp.org/www-pdf-archive/HackPra_Allstars-Browser_Timing_Attacks_-_Paul_Stone.pdf",
@@ -1089,9 +1089,11 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
           2. If |directive| is [=`report-hash`=] and |request|'s [=request/destination=] matches
              the |directive|'s [=directive/value=], then:
               1.  Let |hash| be the empty [=string=].
-              1.  If |request| is CORS enabled, set |hash| to the result of [=applying algorithm to bytes=] on response's bytes and "sha-256".
-              1.  Let |body| be a [=csp hash report body=] with the current document' URL as its [=documentURL=],
-                  |request|'s URL as its [=subresourceURL=] and |hash| as its [=hash=].
+              1.  If |response| is [=CORS-same-origin=], set |hash| to the result of [=applying
+                  algorithm to bytes=] on |response|'s [=response/body=] and "sha-256".
+              1.  Let |body| be a [=csp hash report body=] with the current document' URL as its
+                  [=documentURL=], |request|'s URL as its [=subresourceURL=], |hash| as its
+                  [=hash=], and "subresource" as its [=csp hash report body/type=].
               1.  [=Generate and queue a report=] with the following arguments:
                   :   context
                   ::  settings object
@@ -1623,7 +1625,8 @@ this algorithm returns normally if compilation is allowed, and throws a
   
A csp hash report body is a [=struct=] with the following fields:
       documentURL,
       subresourceURL,
-      hash.
+      hash,
+      type.
 
   

     Violation DOM Events

From 4bcb6a375ed45d8e7482447e0191861cc7152b81 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Wed, 27 Nov 2024 08:11:52 +0100
Subject: [PATCH 04/18] Append the hash algorithm to the report

---
 index.bs | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index 80e3004bbc..60aff0d370 100644
--- a/index.bs
+++ b/index.bs
@@ -167,6 +167,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
 spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
   type:dfn;
     text:applying algorithm to bytes; url: #apply-algorithm-to-response
+    text: cryptographic hash function; url: #hash-functions
 
 
@@ -1088,9 +1089,14 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
                   then set |result| to "`Blocked`".
           2. If |directive| is [=`report-hash`=] and |request|'s [=request/destination=] matches
              the |directive|'s [=directive/value=], then:
+              1.  Let |algo| be "sha-256" or another [=cryptographic hash function=].
               1.  Let |hash| be the empty [=string=].
-              1.  If |response| is [=CORS-same-origin=], set |hash| to the result of [=applying
-                  algorithm to bytes=] on |response|'s [=response/body=] and "sha-256".
+              1.  If |response| is [=CORS-same-origin=], then:
+                  1. Let |hash list| be a [=list=] of [=strings=], initially empty.
+                  1. [=list/Append=] |algo| to |hash list|.
+                  1. [=list/Append=] the result of [=applying algorithm to bytes=] on |response|'s
+                     [=response/body=] and |algo| to |hash list|.
+                  1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-).
               1.  Let |body| be a [=csp hash report body=] with the current document' URL as its
                   [=documentURL=], |request|'s URL as its [=subresourceURL=], |hash| as its
                   [=hash=], and "subresource" as its [=csp hash report body/type=].

From ebb43e8fa2b627983b5434c29deae5a95a4e8734 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Wed, 27 Nov 2024 09:20:50 +0100
Subject: [PATCH 05/18] Change to a report-sha256 keyword

---
 index.bs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/index.bs b/index.bs
index 60aff0d370..aa48209646 100644
--- a/index.bs
+++ b/index.bs
@@ -689,7 +689,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
     keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
                      / "'strict-dynamic'" / "'unsafe-hashes'" /
                      / "'report-sample'" / "'unsafe-allow-redirects'"
-                     / "'wasm-unsafe-eval'"
+                     / "'wasm-unsafe-eval'" / "'report-sha256'"
 
     ISSUE: Bikeshed `unsafe-allow-redirects`.
 
@@ -700,6 +700,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
     ; Digests: 'sha256-[digest goes here]'
     hash-source    = "'" hash-algorithm "-" base64-value "'"
     hash-algorithm = "sha256" / "sha384" / "sha512"
+
The host-char production intentionally contains only ASCII @@ -1087,9 +1088,10 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. If |policy|'s disposition is "`enforce`", then set |result| to "`Blocked`". - 2. If |directive| is [=`report-hash`=] and |request|'s [=request/destination=] matches - the |directive|'s [=directive/value=], then: - 1. Let |algo| be "sha-256" or another [=cryptographic hash function=]. + 2. If |directive|'s value contains the + expression "`'report-sha256'`" and |directive|'s [=directive/name=] + is "script-src", then: + 1. Let |algo| be "sha-256". 1. Let |hash| be the empty [=string=]. 1. If |response| is [=CORS-same-origin=], then: 1. Let |hash list| be a [=list=] of [=strings=], initially empty. From d6747cd3c45976d304a2dce83f4b5d16cfc390be Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 27 Nov 2024 10:14:13 +0100 Subject: [PATCH 06/18] Improve definitions --- index.bs | 58 ++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 23 deletions(-) diff --git a/index.bs b/index.bs index aa48209646..9eb81d3e90 100644 --- a/index.bs +++ b/index.bs @@ -1088,29 +1088,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. If |policy|'s disposition is "`enforce`", then set |result| to "`Blocked`". - 2. If |directive|'s value contains the - expression "`'report-sha256'`" and |directive|'s [=directive/name=] - is "script-src", then: - 1. Let |algo| be "sha-256". - 1. Let |hash| be the empty [=string=]. - 1. If |response| is [=CORS-same-origin=], then: - 1. Let |hash list| be a [=list=] of [=strings=], initially empty. - 1. [=list/Append=] |algo| to |hash list|. - 1. [=list/Append=] the result of [=applying algorithm to bytes=] on |response|'s - [=response/body=] and |algo| to |hash list|. - 1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-). - 1. Let |body| be a [=csp hash report body=] with the current document' URL as its - [=documentURL=], |request|'s URL as its [=subresourceURL=], |hash| as its - [=hash=], and "subresource" as its [=csp hash report body/type=]. - 1. [=Generate and queue a report=] with the following arguments: - : context - :: settings object - : type - :: "csp-hash" - : destination - :: |directive|'s value. - : data - :: |body| + 2. Call [=should report hash?=] with |response|, |request|, |directive| and |policy|. Note: This portion of the check verifies that the page can load the response. That is, that a Service Worker hasn't substituted a file which @@ -1118,6 +1096,40 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 4. Return |result|. +

Should report hash?

+ + Given a [=response=] |response|, a [=/request=] |request|, a [=directive=] |directive| and a + [=content security policy object=] |policy|, run the following steps: + + 1. If |directive|'s value does not contain the + expression "`'report-sha256'`", or |directive|'s [=directive/name=] + is not "script-src", then return. + 1. Let |algo| be "sha-256". + 1. Let |hash| be the empty [=string=]. + 1. If |response| is [=CORS-same-origin=], then: + 1. Let |hash list| be a [=list=] of [=strings=], initially empty. + 1. [=list/Append=] |algo| to |hash list|. + 1. [=list/Append=] the result of [=applying algorithm to bytes=] on |response|'s + [=response/body=] and |algo| to |hash list|. + 1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-). + 1. Let |document URL| be the empty [=string=]. + 1. Let |global| be the |request|'s [=request/client=]'s [=/global object=]. + 1. If |global| is a [=/Window=], set |document URL| to |global|'s [=document=]'s URL. + 1. If |policy|'s [=directive set=] does not contain a [=directive=] named "report-to", return. + 1. Let |report-to directive| be a [=directive=] named "report-to" from |policy|'s [=directive + set=]. + 1. Let |body| be a [=csp hash report body=] with the |document URL| as its + [=documentURL=], |request|'s URL as its [=subresourceURL=], |hash| as its + [=hash=], and "subresource" as its [=csp hash report body/type=]. + 1. [=Generate and queue a report=] with the following arguments: + : context + :: settings object + : type + :: "csp-hash" + : destination + :: |report-to directive|'s [=directive/value=]. + : data + :: |body|

Integration with HTML From aeffc5c17f4378d0d1f4ba47674c760c280487c7 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 27 Nov 2024 10:39:27 +0100 Subject: [PATCH 07/18] move logic to post-request --- index.bs | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 9eb81d3e90..92b23fea99 100644 --- a/index.bs +++ b/index.bs @@ -687,9 +687,12 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity ; Keywords: keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'" - / "'strict-dynamic'" / "'unsafe-hashes'" / + / "'strict-dynamic'" / "'unsafe-hashes'" / "'report-sample'" / "'unsafe-allow-redirects'" / "'wasm-unsafe-eval'" / "'report-sha256'" + / "'report-sha384'" /"'report-sha512'" + + ISSUE: Bikeshed `unsafe-allow-redirects`. @@ -1088,7 +1091,6 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. If |policy|'s disposition is "`enforce`", then set |result| to "`Blocked`". - 2. Call [=should report hash?=] with |response|, |request|, |directive| and |policy|. Note: This portion of the check verifies that the page can load the response. That is, that a Service Worker hasn't substituted a file which @@ -1101,10 +1103,14 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity Given a [=response=] |response|, a [=/request=] |request|, a [=directive=] |directive| and a [=content security policy object=] |policy|, run the following steps: - 1. If |directive|'s value does not contain the - expression "`'report-sha256'`", or |directive|'s [=directive/name=] - is not "script-src", then return. - 1. Let |algo| be "sha-256". + 1. Let |algo| be the empty [=string=]. + 1. If |directive|'s value contains the + expression "`'report-sha256'`", set |algo| to "sha256". + 1. If |directive|'s value contains the + expression "`'report-sha384'`", set |algo| to "sha384". + 1. If |directive|'s value contains the + expression "`'report-sha512'`", set |algo| to "sha512". + 1. If |algo| is the empty [=string=], return. 1. Let |hash| be the empty [=string=]. 1. If |response| is [=CORS-same-origin=], then: 1. Let |hash list| be a [=list=] of [=strings=], initially empty. @@ -3790,6 +3796,7 @@ this algorithm returns normally if compilation is allowed, and throws a |response|, |request|, |directive|'s value, and |policy|, is "`Does Not Match`", return "`Blocked`". + 5. Call [=should report hash?=] with |response|, |request|, |directive| and |policy|. 2. Return "`Allowed`".

URL Matching

From b7edd01a5615e4b635869b5ec97d03f1f1eeb1ed Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 27 Nov 2024 15:05:29 +0100 Subject: [PATCH 08/18] Address more review comments --- index.bs | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/index.bs b/index.bs index 92b23fea99..30106bd9bf 100644 --- a/index.bs +++ b/index.bs @@ -1098,7 +1098,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 4. Return |result|. -

Should report hash?

+

Potentially report hash

Given a [=response=] |response|, a [=/request=] |request|, a [=directive=] |directive| and a [=content security policy object=] |policy|, run the following steps: @@ -1640,13 +1640,12 @@ this algorithm returns normally if compilation is allowed, and throws a }; - When a [=`report-hash`=] directive is present, csp hash report may be generated - and sent out to a reporting endpoint associated with the policy. + When a directive has a `report-hash` value, csp hash report may be generated and + sent out to a reporting endpoint associated with the policy.

csp hash reports have the report type "csp-hash".

-

csp violation reports are not visible to - ReportingObservers. +

csp hash reports are not visible to ReportingObservers.

A csp hash report body is a [=struct=] with the following fields: documentURL, @@ -3691,17 +3690,6 @@ this algorithm returns normally if compilation is allowed, and throws a directive-value = token -

`report-hash`

- - The `report-hash` directive signifies that script hash reports - should be sent to reporting endpoints [[REPORTING]]. The - directive's name and value are described by the following ABNF: - - 
-    directive-name  = "report-hash"
-    directive-value = token
-
-

Directives Defined in Other Documents

@@ -3796,7 +3784,7 @@ this algorithm returns normally if compilation is allowed, and throws a |response|, |request|, |directive|'s value, and |policy|, is "`Does Not Match`", return "`Blocked`". - 5. Call [=should report hash?=] with |response|, |request|, |directive| and |policy|. + 5. Call [=potentially report hash=] with |response|, |request|, |directive| and |policy|. 2. Return "`Allowed`".

URL Matching

From 1ab5816c3a1b1fe89682f11fae900c5aeb093b2c Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Thu, 28 Nov 2024 13:30:49 +0100 Subject: [PATCH 09/18] Review nits --- index.bs | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/index.bs b/index.bs index 30106bd9bf..84d92c7062 100644 --- a/index.bs +++ b/index.bs @@ -690,9 +690,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity / "'strict-dynamic'" / "'unsafe-hashes'" / "'report-sample'" / "'unsafe-allow-redirects'" / "'wasm-unsafe-eval'" / "'report-sha256'" - / "'report-sha384'" /"'report-sha512'" - - + / "'report-sha384'" / "'report-sha512'" ISSUE: Bikeshed `unsafe-allow-redirects`. @@ -703,7 +701,6 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity ; Digests: 'sha256-[digest goes here]' hash-source = "'" hash-algorithm "-" base64-value "'" hash-algorithm = "sha256" / "sha384" / "sha512" - The host-char production intentionally contains only ASCII @@ -1103,29 +1100,29 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity Given a [=response=] |response|, a [=/request=] |request|, a [=directive=] |directive| and a [=content security policy object=] |policy|, run the following steps: - 1. Let |algo| be the empty [=string=]. + 1. Let |algorithm| be the empty [=string=]. 1. If |directive|'s value contains the - expression "`'report-sha256'`", set |algo| to "sha256". + expression "`'report-sha256'`", set |algorithm| to "sha256". 1. If |directive|'s value contains the - expression "`'report-sha384'`", set |algo| to "sha384". + expression "`'report-sha384'`", set |algorithm| to "sha384". 1. If |directive|'s value contains the - expression "`'report-sha512'`", set |algo| to "sha512". - 1. If |algo| is the empty [=string=], return. + expression "`'report-sha512'`", set |algorithm| to "sha512". + 1. If |algorithm| is the empty [=string=], return. 1. Let |hash| be the empty [=string=]. 1. If |response| is [=CORS-same-origin=], then: 1. Let |hash list| be a [=list=] of [=strings=], initially empty. - 1. [=list/Append=] |algo| to |hash list|. + 1. [=list/Append=] |algorithm| to |hash list|. 1. [=list/Append=] the result of [=applying algorithm to bytes=] on |response|'s - [=response/body=] and |algo| to |hash list|. + [=response/body=] and |algorithm| to |hash list|. 1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-). 1. Let |document URL| be the empty [=string=]. 1. Let |global| be the |request|'s [=request/client=]'s [=/global object=]. - 1. If |global| is a [=/Window=], set |document URL| to |global|'s [=document=]'s URL. + 1. If |global| is a {{Window}}, set |document URL| to |global|'s [=document=]'s URL. 1. If |policy|'s [=directive set=] does not contain a [=directive=] named "report-to", return. 1. Let |report-to directive| be a [=directive=] named "report-to" from |policy|'s [=directive set=]. - 1. Let |body| be a [=csp hash report body=] with the |document URL| as its - [=documentURL=], |request|'s URL as its [=subresourceURL=], |hash| as its + 1. Let |body| be a [=csp hash report body=] with |document URL| as its [=documentURL=], + |request|'s URL as its [=subresourceURL=], |hash| as its [=hash=], and "subresource" as its [=csp hash report body/type=]. 1. [=Generate and queue a report=] with the following arguments: : context @@ -1640,8 +1637,8 @@ this algorithm returns normally if compilation is allowed, and throws a }; - When a directive has a `report-hash` value, csp hash report may be generated and - sent out to a reporting endpoint associated with the policy. + When a directive has a `report-hash` value, a csp hash report may be generated + and sent out to a reporting endpoint associated with the policy.

csp hash reports have the report type "csp-hash".

From 4a9ccb1d83e00960b6cc8e18edfac9ab9a34d411 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Thu, 28 Nov 2024 13:52:01 +0100 Subject: [PATCH 10/18] Add an example --- index.bs | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 84d92c7062..0a8181b0af 100644 --- a/index.bs +++ b/index.bs @@ -1637,8 +1637,10 @@ this algorithm returns normally if compilation is allowed, and throws a }; - When a directive has a `report-hash` value, a csp hash report may be generated - and sent out to a reporting endpoint associated with the policy. + When a directive that impacts [=script-like=] [=request/destinations=] has a `report-hash` value, + and a [=/request=] with a [=script-like=] [=request/destination=] is fetched, a csp + hash report will be generated and sent out to a reporting endpoint associated with the policy.

csp hash reports have the report type "csp-hash".

@@ -1650,6 +1652,33 @@ this algorithm returns normally if compilation is allowed, and throws a hash, type. +
+ When a document's response contains the headers: +```http +Reporting-Endpoints: hashes-endpoint="https://example.com/reports" +Content-Security-Policy: report-hash; report-to hashes-endpoint +``` + and the document loads the script "main.js", a report similar to the following on will be sent: +```http +POST /reports HTTP/1.1 +Host: example.com +... +Content-Type: application/reports+json + +[{ + "type": "csp-hash-report", + "age": 12, + "url": "https://example.com/", + "user_agent": "Mozilla/5.0 (X11; Linux i686; rv:132.0) Gecko/20100101 Firefox/132.0", + "body": { + "document_url": "https://example.com/", + "subresource_url": "https://example.com/main.js", + "hash": "sha256-badbeef", + "type": "subresource" + } +}] +``` +

Violation DOM Events

From 5337bf7ddd64632a18a16ec7f12019399efaa9be Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Thu, 28 Nov 2024 14:06:37 +0100 Subject: [PATCH 11/18] URL ref --- index.bs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 0a8181b0af..511c877820 100644 --- a/index.bs +++ b/index.bs @@ -22,7 +22,11 @@ Markup Shorthands: css off, markdown on At Risk: The [[#is-element-nonceable]] algorithm. 
-spec:dom; type:interface; text:Document
+spec:dom;
+  type: interface
+    text: Document
+  type: dfn
+    text: URL; url: https://dom.spec.whatwg.org/#dom-document-url
 spec:html
   type: dfn
     text: fallback base url
@@ -1117,7 +1121,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
       1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-).
   1.  Let |document URL| be the empty [=string=].
   1.  Let |global| be the |request|'s [=request/client=]'s [=/global object=].
-  1.  If |global| is a {{Window}}, set |document URL| to |global|'s [=document=]'s URL.
+  1.  If |global| is a {{Window}}, set |document URL| to |global|'s [=document=]'s [=Document/URL=].
   1.  If |policy|'s [=directive set=] does not contain a [=directive=] named "report-to", return.
   1.  Let |report-to directive| be a [=directive=] named "report-to" from |policy|'s [=directive
       set=].

From 6873fe2fe80f35cbfbf53d5cc8ae9c9d21fb50dc Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Thu, 28 Nov 2024 14:07:41 +0100
Subject: [PATCH 12/18] typo

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 511c877820..d2b1fc9022 100644
--- a/index.bs
+++ b/index.bs
@@ -1662,7 +1662,7 @@ this algorithm returns normally if compilation is allowed, and throws a
 Reporting-Endpoints: hashes-endpoint="https://example.com/reports"
 Content-Security-Policy: report-hash; report-to hashes-endpoint
 ```
-  and the document loads the script "main.js", a report similar to the following on will be sent:
+  and the document loads the script "main.js", a report similar to the following one will be sent:
 ```http
 POST /reports HTTP/1.1
 Host: example.com

From 2c141901c66739029e261695a4dacfdf06c029e2 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Thu, 28 Nov 2024 14:43:23 +0100
Subject: [PATCH 13/18] fix example

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index d2b1fc9022..dd99f5f508 100644
--- a/index.bs
+++ b/index.bs
@@ -1660,7 +1660,7 @@ this algorithm returns normally if compilation is allowed, and throws a
   When a document's response contains the headers:
 ```http
 Reporting-Endpoints: hashes-endpoint="https://example.com/reports"
-Content-Security-Policy: report-hash; report-to hashes-endpoint
+Content-Security-Policy: script-src 'report-sha256'; report-to hashes-endpoint
 ```
   and the document loads the script "main.js", a report similar to the following one will be sent:
 ```http

From 7a66739b7916203db0c50b97b58e44bc93519fd8 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Thu, 28 Nov 2024 15:22:32 +0100
Subject: [PATCH 14/18] Fix example again

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index dd99f5f508..179f197821 100644
--- a/index.bs
+++ b/index.bs
@@ -1660,7 +1660,7 @@ this algorithm returns normally if compilation is allowed, and throws a
   When a document's response contains the headers:
 ```http
 Reporting-Endpoints: hashes-endpoint="https://example.com/reports"
-Content-Security-Policy: script-src 'report-sha256'; report-to hashes-endpoint
+Content-Security-Policy: script-src 'self' 'report-sha256'; report-to hashes-endpoint
 ```
   and the document loads the script "main.js", a report similar to the following one will be sent:
 ```http

From 18b19579a097ee795f6dde201b0b5b944322a4ab Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Thu, 5 Dec 2024 09:05:49 +0100
Subject: [PATCH 15/18] Review comments

---
 index.bs | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/index.bs b/index.bs
index 179f197821..6a82f11bee 100644
--- a/index.bs
+++ b/index.bs
@@ -1122,10 +1122,12 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
   1.  Let |document URL| be the empty [=string=].
   1.  Let |global| be the |request|'s [=request/client=]'s [=/global object=].
   1.  If |global| is a {{Window}}, set |document URL| to |global|'s [=document=]'s [=Document/URL=].
+  1.  Let |stripped document URL| to be the result of executing [[#strip-url-for-use-in-reports]]
+      on |document URL|.
   1.  If |policy|'s [=directive set=] does not contain a [=directive=] named "report-to", return.
   1.  Let |report-to directive| be a [=directive=] named "report-to" from |policy|'s [=directive
       set=].
-  1.  Let |body| be a [=csp hash report body=] with |document URL| as its [=documentURL=],
+  1.  Let |body| be a [=csp hash report body=] with |stripped document URL| as its [=documentURL=],
       |request|'s URL as its [=subresourceURL=], |hash| as its
       [=hash=], and "subresource" as its [=csp hash report body/type=].
   1.  [=Generate and queue a report=] with the following arguments:
@@ -3792,17 +3794,19 @@ Content-Type: application/reports+json
 
   1.  If |request|'s destination is script-like:
 
+      1. Call [=potentially report hash=] with |response|, |request|, |directive| and |policy|.
+
       1.  If the result of executing [[#match-nonce-to-source-list]] on
           |request|'s cryptographic nonce metadata and this
           directive's value is "`Matches`", return
           "`Allowed`".
 
-      2.  If the result of executing
+      1.  If the result of executing
           [[#match-integrity-metadata-to-source-list]] on |request|'s integrity metadata and this directive's value is "`Matches`", return "`Allowed`".
 
-      3.  If |directive|'s value contains
+      1.  If |directive|'s value contains
           "`'strict-dynamic'`":
 
           1.  If |request|'s parser metadata is not
@@ -3810,11 +3814,10 @@ Content-Type: application/reports+json
 
               Otherwise, return "`Blocked`".
 
-      4.  If the result of executing [[#match-response-to-source-list]] on
+      1.  If the result of executing [[#match-response-to-source-list]] on
           |response|, |request|, |directive|'s value,
           and |policy|, is "`Does Not Match`", return "`Blocked`".
 
-      5. Call [=potentially report hash=] with |response|, |request|, |directive| and |policy|.
   2.  Return "`Allowed`".
 
   
URL Matching


From a36018f00f5b4b7b789235e7867725410d70aa70 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Thu, 5 Dec 2024 09:23:23 +0100
Subject: [PATCH 16/18] Only apply to Window

---
 index.bs | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/index.bs b/index.bs
index 6a82f11bee..48ad878e26 100644
--- a/index.bs
+++ b/index.bs
@@ -1119,11 +1119,10 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
       1. [=list/Append=] the result of [=applying algorithm to bytes=] on |response|'s
          [=response/body=] and |algorithm| to |hash list|.
       1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-).
-  1.  Let |document URL| be the empty [=string=].
   1.  Let |global| be the |request|'s [=request/client=]'s [=/global object=].
-  1.  If |global| is a {{Window}}, set |document URL| to |global|'s [=document=]'s [=Document/URL=].
+  1.  If |global| is not a {{Window}}, return.
   1.  Let |stripped document URL| to be the result of executing [[#strip-url-for-use-in-reports]]
-      on |document URL|.
+      on |global|'s [=document=]'s [=Document/URL=].
   1.  If |policy|'s [=directive set=] does not contain a [=directive=] named "report-to", return.
   1.  Let |report-to directive| be a [=directive=] named "report-to" from |policy|'s [=directive
       set=].

From 4bb07e7feb540949527f44d5b877c327196f4c55 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Fri, 6 Dec 2024 06:25:02 +0100
Subject: [PATCH 17/18] Add destination

---
 index.bs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index 48ad878e26..7d74a3840a 100644
--- a/index.bs
+++ b/index.bs
@@ -1127,8 +1127,9 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
   1.  Let |report-to directive| be a [=directive=] named "report-to" from |policy|'s [=directive
       set=].
   1.  Let |body| be a [=csp hash report body=] with |stripped document URL| as its [=documentURL=],
-      |request|'s URL as its [=subresourceURL=], |hash| as its
-      [=hash=], and "subresource" as its [=csp hash report body/type=].
+      |request|'s URL as its [=subresourceURL=], |hash| as its [=hash=], |request|'s
+      [=request/destination=] as its [=csp hash report body/destination=], and "subresource" as its
+      [=csp hash report body/type=].
   1.  [=Generate and queue a report=] with the following arguments:
       :   context
       ::  settings object
@@ -1655,6 +1656,7 @@ this algorithm returns normally if compilation is allowed, and throws a
       documentURL,
       subresourceURL,
       hash,
+      destination,
       type.
 
   


From 5a988bd8a00c60c5b7d68826a1323a16d061c725 Mon Sep 17 00:00:00 2001
From: Yoav Weiss 
Date: Fri, 6 Dec 2024 09:57:56 +0100
Subject: [PATCH 18/18] review comments

---
 index.bs | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/index.bs b/index.bs
index 7d74a3840a..7c2f6cbea7 100644
--- a/index.bs
+++ b/index.bs
@@ -1643,10 +1643,10 @@ this algorithm returns normally if compilation is allowed, and throws a
     };
- When a directive that impacts [=script-like=] [=request/destinations=] has a `report-hash` value, - and a [=/request=] with a [=script-like=] [=request/destination=] is fetched, a csp - hash report will be generated and sent out to a reporting endpoint associated with the policy. + When a directive that impacts [=script-like=] [=request/destinations=] has a `report-sha256`, + `report-sha384` or `report-sha512` value, and a [=/request=] with a [=script-like=] + [=request/destination=] is fetched, a csp hash report will be generated and + sent out to a reporting endpoint associated with the policy.

csp hash reports have the report type "csp-hash".

@@ -1681,7 +1681,8 @@ Content-Type: application/reports+json "document_url": "https://example.com/", "subresource_url": "https://example.com/main.js", "hash": "sha256-badbeef", - "type": "subresource" + "type": "subresource", + "destination": "script" } }] ```