[csp-embedded-enforcement] Add support for a 'hash-required' to align with 'nonce-required' from Abdulrahman Alqabandi on 2022-07-06 (public-webappsec@w3.org from July 2022)

From: Abdulrahman Alqabandi <Abdulrahman.Alqabandi@microsoft.com>
Date: Wed, 6 Jul 2022 18:00:52 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <HE1PR83MB0380239223FD06CDC3C23CA2F5809@HE1PR83MB0380.EURPRD83.prod.outlook.com>

When using CSPEE to enforce nonce based integrity checks the iframe[csp] attribute must contain 'nonce-required' and the child frame response should contain a randomly generated 'nonce-r4nd0m' directive. This change is great since it mitigated the issue of leaking nonces and made it easier to implement.

However, the same is not observed for 'unsafe-hashes' where currently it seems like the iframe[csp] attribute must contain the same hash that the child responder has. There appears to be no support for 'hash-required' that just asks the server to use hashes full stop.

Abdul

Received on Monday, 11 July 2022 13:34:09 UTC