[Webkit-unassigned] [Bug 270784] CSP: External script with matching SRI hash is blocked when 'strict-dynamic' is present in script-src

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 15 21:51:27 PDT 2024


--- Comment #6 from Fotis Papadogeorgopoulos <fotis.papadogeorgopoulos at wolt.com> ---
Hi Karl! Thank you and Anne for the help with this. 

The spec has now been changed to clarify this behaviour (https://github.com/w3c/webappsec-csp/issues/653) and the WPT test is merged (relevant view: https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_hashes.html?label=master&label=experimental&aligned&q=safari%3Afail%20firefox%3Apass%20chrome%3Apass).

Please let me know if there is anything else I can do on my side. Otherwise, happy to leave this to you all. Thanks again :)

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240416/e9d655a3/attachment-0001.htm>

More information about the webkit-unassigned mailing list