[w3ctag/design-reviews] Other Spec Review: Extend CSP script-src hashes (Issue #1128)

meacer created an issue (w3ctag/design-reviews#1128)

### Specification

https://github.com/w3c/webappsec-csp/compare/main...carlosjoan91:webappsec-csp:main

### Explainer

https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md

### Links

- Previous early design review, if any: N/A
- An introduction to the feature, aimed at unfamiliar audiences: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#deployment-use-case-examples
- A description of the problems that end-users were facing before this proposal: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#use-cases
- Alternatives considered: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#considered-alternatives
- Examples of how to use the proposal to solve the end-users' problems: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#proposed-solution
- What do the end-users experience with this proposal: https://github.com/explainers-by-googlers/script-src-v2/blob/main/README.md#proposed-solution
- User research you did to validate the problem and/or design, if any: N/A
- Web Platform Tests: 
  - https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/content-security-policy/script-src/tentative/
  - https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/tentative/
  - https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/virtual/script-src-hashes-v1-enabled/


### The specification

- [x] Follows the [Web Platform Design Principles](https://www.w3.org/TR/design-principles/).
- [x] Includes Security and Privacy Considerations sections based on answers to the [Security/Privacy Questionnaire](https://www.w3.org/TR/security-privacy-questionnaire/).

### Where and by whom is the work is being done?

- GitHub repo:
- Primary contacts:
  - @carlosjoan91 (Google), @meacer (Google)
- Organization/project driving the specification: Google
- This work is being funded by: Google
- Primary standards group developing this feature: N/A
- Group intended to standardize this work: WebAppSec
- Incubation and standards groups that have discussed the design:
  - https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-04-16-minutes.md
 

### Feedback so far

- Multi-stakeholder feedback:
  - Chromium comments: https://chromestatus.com/feature/5196368819519488
  - Mozilla comments: https://github.com/mozilla/standards-positions/issues/1277
  - WebKit comments: https://github.com/WebKit/standards-positions/issues/535
- Major unresolved issues with or opposition to this specification:
- Status/issue trackers for implementations: https://chromestatus.com/feature/5196368819519488

### You should also know that...

_No response_

<!-- Content below this is maintained by @w3c-tag-bot -->
---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1128


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1128
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1128@github.com>

Received on Thursday, 31 July 2025 22:47:59 UTC