Introduces a new keywords to the script-src Content Security Policy (CSP) directive. This adds two new hash based allowlisting mechanisms: script sources based on hashes of URLs and contents of eval() and eval() like functions. We loosely refer to this as script-src-v2, although it is backwards compatible with the existing script-src, and uses the same directive. Extending hashes to cover URL and eval() hashes allows developers to set reasonably strict security policies by narrowly allowlisting scripts by their hashes even when script contents are subject to frequent changes, and known-safe contents of eval() without permitting unchecked use of eval() broadly. The new keywords override host-based script-src when provided. This allows a single header to be compatible with browsers that both do or do not implement the new keywords.
Allowlist script-src URLs with their hashes with a new keyword called url-hashes: Sites that want to allowlist scripts for use with script-src currently have 2 options: allowlist script contents through subresource integrity, which is not practical for scripts that change often (e.g. analytics), or use host-source to allowlist entire hostnames (thus allowlisting more than may be necessary). This proposal permits allowlisting full URLs, which permits precise allowlist targeting while still allowing content to change as needed. Using hashes over raw URLs in the policy allows for a more succinct representation when allowlisting longer URLs. More safely enabling scripts for use with eval(), Function, setTimeout, setInterval, and setImmediate: The only existing mechanism to use eval() and eval-like functions is by enabling them without restriction via unsafe-eval. This means that currently any site that needs to use eval() (such as for feature detection) must expose itself to eval-based XSS risks. Allowlisting individual scripts mitigates these issues.
Explainers: https://github.com/explainers-by-googlers/script-src-v2