w3c · yoavweiss · Dec 6, 2024 · Nov 22, 2024 · Nov 25, 2024 · Nov 26, 2024
diff --git a/index.bs b/index.bs
@@ -164,6 +164,11 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
   type:dfn
     text: administratively-prohibited; url: #dfn-administratively-prohibited
 
+spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
+  type:dfn;
+    text:applying algorithm to bytes; url: #apply-algorithm-to-response
+    text: cryptographic hash function; url: #hash-functions
+
 </pre>
 <pre class="biblio">
 {
@@ -182,7 +187,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
   "REPORTING": {
     "href": "https://wicg.github.io/reporting/",
     "title": "Reporting API",
-    "authors": [ "Ilya Gregorik", "Mike West" ]
+    "authors": [ "Ilya Grigorik", "Mike West" ]
   },
   "TIMING": {
       "href": "https://owasp.org/www-pdf-archive/HackPra_Allstars-Browser_Timing_Attacks_-_Paul_Stone.pdf",
@@ -684,7 +689,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
     <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>"
                      / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" /
                      / "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
-                     / "<dfn>'wasm-unsafe-eval'</dfn>"
+                     / "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'report-sha256'</dfn>"
 
     ISSUE: Bikeshed `unsafe-allow-redirects`.
 
@@ -695,6 +700,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
     ; Digests: 'sha256-[digest goes here]'
     <dfn>hash-source</dfn>    = "'" <a>hash-algorithm</a> "-" <a>base64-value</a> "'"
     <dfn>hash-algorithm</dfn> = "sha256" / "sha384" / "sha512"
+
   </pre>
 
   The <a grammar>host-char</a> production intentionally contains only ASCII
@@ -1082,6 +1088,29 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
 
               2.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
                   then set |result| to "`Blocked`".
+          2.  If |directive|'s <a for="directive">value</a> <a for="list">contains</a> the
+              expression "<a grammar>`'report-sha256'`</a>" and |directive|'s [=directive/name=]
+              is "script-src", then:
+              1.  Let |algo| be "sha-256".
+              1.  Let |hash| be the empty [=string=].
+              1.  If |response| is [=CORS-same-origin=], then:
+                  1. Let |hash list| be a [=list=] of [=strings=], initially empty.
+                  1. [=list/Append=] |algo| to |hash list|.
+                  1. [=list/Append=] the result of [=applying algorithm to bytes=] on |response|'s
+                     [=response/body=] and |algo| to |hash list|.
+                  1. Let |hash| be the result of [=concatenating=] |hash list| with U+002D (-).
+              1.  Let |body| be a [=csp hash report body=] with the current document' URL as its
+                  [=documentURL=], |request|'s URL as its [=subresourceURL=], |hash| as its
+                  [=hash=], and "subresource" as its [=csp hash report body/type=].
+              1.  [=Generate and queue a report=] with the following arguments:
+                  :   <var ignore>context</var>
+                  ::  <var ignore>settings object</var>
+                  :   <var ignore>type</var>
+                  ::  "csp-hash"
+                  :   <var ignore>destination</var>
+                  ::  |directive|'s <a for="directive">value</a>.
+                  :   <var ignore>data</var>
+                  ::  |body|
 
       Note: This portion of the check verifies that the page can load the
       response. That is, that a Service Worker hasn't substituted a file which
@@ -1593,6 +1622,20 @@ this algorithm returns normally if compilation is allowed, and throws a
     };
   </pre>
 
+  When a [=`report-hash`=] directive is present, <dfn export>csp hash report</dfn> may be generated
+  and sent out to a reporting endpoint associated with the <a for="/">policy</a>.
+
+  <p><a>csp hash reports</a> have the <a>report type</a> "csp-hash".</p>
+
+  <p><a>csp violation reports</a> are not <a>visible to
+  <code>ReportingObserver</code>s</a>.
+
+  <p>A <dfn>csp hash report body</dfn> is a [=struct=] with the following fields:
+      <dfn for="csp hash report body">documentURL</dfn>,
+      <dfn for="csp hash report body">subresourceURL</dfn>,
+      <dfn for="csp hash report body">hash</dfn>,
+      <dfn for="csp hash report body">type</dfn>.
+
   <h3 id="violation-events">
     Violation DOM Events
   </h3>
@@ -3630,6 +3673,17 @@ this algorithm returns normally if compilation is allowed, and throws a
     directive-value = <a grammar>token</a>
   </pre>
 
+  <h4 id="directive-report-hash">`report-hash`</h4>
+
+  The <dfn export>`report-hash`</dfn> directive signifies that script hash reports
+  should be sent to <a lt="endpoint">reporting endpoints</a> [[REPORTING]]. The
+  directive's name and value are described by the following ABNF:
+
+  <pre>
+    directive-name  = "report-hash"
+    directive-value = <a grammar>token</a>
+  </pre>
+
   <h3 id="directives-elsewhere">
     Directives Defined in Other Documents
   </h3>