Closed Bug 1082924 Opened 8 years ago Closed 8 years ago

Add nsIContentPolicy::TYPE_FETCH

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla36

People

(Reporter: nsm, Assigned: nsm)

References

Details

(Keywords: dev-doc-complete)

Attachments

(1 file, 1 obsolete file)

The fetch specification[1] uses it for fetching Requests created by content code. Behaviour is similar to XHR in being restricted by CSP directive connect-src.

[1]: https://fetch.spec.whatwg.org
Assignee: nobody → nsm.nikhil
Status: NEW → ASSIGNED
Comment on attachment 8505111 [details] [diff] [review]
Add CSP type for fetch API

Tanvi for content/
Andrea for dom/fetch oneliner.
Attachment #8505111 - Flags: review?(tanvi)
Attachment #8505111 - Flags: review?(amarchesini)
Comment on attachment 8505111 [details] [diff] [review]
Add CSP type for fetch API

Review of attachment 8505111 [details] [diff] [review]:
-----------------------------------------------------------------

I'm not familiar with nsIContentPolicy.
Attachment #8505111 - Flags: review?(amarchesini)
Tanvi, so I can only really test the TYPE_FETCH in the fetch specification tests (Bug dom-fetch-api) since fetch() is the only user of the type. I will add tests there in the patches that add CSP support (not up yet) and mark you for review there. Does that sound good?
https://mxr.mozilla.org/mozilla-central/source/content/base/src/nsDataDocumentContentPolicy.cpp#118 should probably use a whitelist instead of a blacklist.  I'll file a bug for that.  For now, please add TYPE_FETCH to the blacklist.
(In reply to Nikhil Marathe [:nsm] (needinfo? please) from comment #5)
> Tanvi, so I can only really test the TYPE_FETCH in the fetch specification
> tests (Bug dom-fetch-api) since fetch() is the only user of the type. I will
> add tests there in the patches that add CSP support (not up yet) and mark
> you for review there. Does that sound good?

That sounds good.
With check added to nsData...
Attachment #8506617 - Flags: review?(tanvi)
Comment on attachment 8506617 [details] [diff] [review]
Add CSP type for fetch API

Andrea, the review isn't for the CSP, but for setting Request::mContext in GetRequestConstructorCopy as defined by the fetch spec in Request constructor step 3.
Attachment #8506617 - Flags: review?(amarchesini)
Attachment #8506617 - Flags: review?(amarchesini) → review+
Comment on attachment 8506617 [details] [diff] [review]
Add CSP type for fetch API

Please be sure to add a csp test for TYPE_FETCH in bug dom-fetch-api.  Thanks!
Attachment #8506617 - Flags: review?(tanvi) → review+
https://hg.mozilla.org/mozilla-central/rev/ac4bf4d89545
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.