Skip to content

Add url- and eval- prefix for URL and eval hashes #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
meacer opened this issue Apr 17, 2025 · 2 comments
Open

Add url- and eval- prefix for URL and eval hashes #4

meacer opened this issue Apr 17, 2025 · 2 comments

Comments

@meacer
Copy link
Collaborator

meacer commented Apr 17, 2025

During the WebAppSec meeting, it was suggested that the introduction of URL hashes would be confusing -- it's not immediately clear what security guarantees the hashing provides. The has is a compact representation of the URL, but beyond that, it doesn't make the policy more restrictive.

To make this more clear, it was suggested that we could prefix URL (and perhaps eval) hashes with url- (and eval-) prefixes, like so:

script-src-v2 'url-sha256-abcdef'

This has some nice properties:

  • Makes the policy more transparent. No need to guess if a hash is for a script content or for a URL.
  • No collisions between script contents and URLs. We plan to support relative URLs, and a relative URL like value?a:b is valid JavaScript. Prefixing URL hashes will prevent attacks that make use of this fact.
  • If we also introduce the eval- prefix, the eval related parts of the policy stand out, potentially as something to be mitigated/avoided in the future.

The obvious downside is the repetition and the slight increase in the policy size which feels like a minor issue.

On balance, I think it makes sense to drop the url-hashes keyword and add url- and eval- prefixes to the relevant hashes.

@meacer
Copy link
Collaborator Author

meacer commented Apr 24, 2025

@mikewest We derived this idea from one of your comments in the WebAppSec meeting about hashes of URLs being confusing. Do you have any thoughts?

@antosart
Copy link

It seems this is what is currently being implemented in chrome, cf. https://chromium-review.googlesource.com/c/chromium/src/+/6496953. Maybe it makes sense to update the explainer if this is where we want to go?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants