CSP report-hash directive

[yoavweiss]

こんにちは TAG-さん!

I'm requesting a TAG review of {{feature}}.

{{One paragraph summary of the feature, ideally copy-pasted from your Explainer.}}

• Explainer¹: Hash reporting w3c/webappsec-csp#693 (comment)
• Specification: Hash reporting w3c/webappsec-csp#693
• WPT Tests: https://chromium-review.googlesource.com/c/chromium/src/+/6038298/11/third_party/blink/web_tests/external/wpt/content-security-policy/report-hash.https.html
• User research: N/A
• Security and Privacy self-review²: https://gist.github.com/yoavweiss/911099e2e28ac2917ba342283243f698
• GitHub repo: https://github.com/w3c/webappsec-csp
• Primary contacts:
  • Yoav Weiss (@yoavweiss), Shopify, implementer
• Organization/project driving the specification: Shopify
• Multi-stakeholder support³:
  • Chromium comments: https://groups.google.com/a/chromium.org/g/blink-dev/c/FAnsVyszxQ4/m/vG2qKw8YCQAJ
  • Mozilla comments: CSP report-hash directive mozilla/standards-positions#1129
  • WebKit comments: https://github.com/WebKit/standards-positions/issues/NNN
  • {{...include feedback/review from developers, implementers, civil society, and others}}
• Status/issue trackers for implementations⁴:
  • https://chromestatus.com/feature/6337535507431424

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: As the relevant security standards go into effect in March 2025, I'd like to ship this in the next month or so.
• The group where the work on this specification is currently being done: WebAppSec
• The group where standardization of this work is intended to be done (if different from the current group):
• Major unresolved issues with or opposition to this specification:
• This work is being funded by: Shopify

You should also know that this work is critical for PCI-DSS v4 - context.