Add url- and eval- prefix for URL and eval hashes

[meacer]

During the WebAppSec meeting, it was suggested that the introduction of URL hashes would be confusing -- it's not immediately clear what security guarantees the hashing provides. The has is a compact representation of the URL, but beyond that, it doesn't make the policy more restrictive.

To make this more clear, it was suggested that we could prefix URL (and perhaps eval) hashes with url- (and eval-) prefixes, like so:

script-src-v2 'url-sha256-abcdef'

This has some nice properties:

• Makes the policy more transparent. No need to guess if a hash is for a script content or for a URL.
• No collisions between script contents and URLs. We plan to support relative URLs, and a relative URL like value?a:b is valid JavaScript. Prefixing URL hashes will prevent attacks that make use of this fact.
• If we also introduce the eval- prefix, the eval related parts of the policy stand out, potentially as something to be mitigated/avoided in the future.

The obvious downside is the repetition and the slight increase in the policy size which feels like a minor issue.

On balance, I think it makes sense to drop the url-hashes keyword and add url- and eval- prefixes to the relevant hashes.

[meacer]

@mikewest We derived this idea from one of your comments in the WebAppSec meeting about hashes of URLs being confusing. Do you have any thoughts?

[antosart]

It seems this is what is currently being implemented in chrome, cf. https://chromium-review.googlesource.com/c/chromium/src/+/6496953. Maybe it makes sense to update the explainer if this is where we want to go?