ISSUE-36: hash as a source expression for csp 1.1

hash as a source expression for csp 1.1

CSP Level 2
Raised by:
Opened on:
trying a fetch of remote content before checking the hash may have undesirable CSRF-like effects, so the group believes that a hash source expression should only apply to inline resources - for remote resources it should be combined with future work on sub-resource integrity

name/scheme of this source expression should probably be something like inline-hash to be clear?
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

would this just apply to inline content or potentially also to remote content?

Brad Hill, 25 Apr 2013, 18:41:26

This is in 1.1, does not apply to remote content.

Mike West, 10 Feb 2014, 13:20:56

Display change log ATOM feed

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 36.html,v 1.1 2020/01/17 08:52:30 carcone Exp $