Closed Bug 1178556 Opened 9 years ago Closed 9 years ago

Ensure script-src 'self' is restricted to content inside the signed package

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Milestone:
FxOS-S9 (16Oct)
Project Flags:
tracking-b2g backlog

People

(Reporter: pauljt, Assigned: ethan)

References

Details

FxOS is moving to a new signed packaged model for privileged content, instead of signed apps. These signed packages will have their own origin (see bug 1178526 and bug 1163254) and need to ensure that CSP prevents loading scripts from outside the package into this origin.
I am not sure I'm capable of doing this bug or not. But since it blocks nsec-csp (bug 1153423), I'll take it first.
Assignee: nobody → ettseng
Priority: -- → P1
Priority: P1 → P2
blocking-b2g: --- → 2.5+
I think we should first write tests to verify the behavior, and this can be done only after the default CSP policy for signed packages is implemented. Therefore, set bug 1179060 as a blocker of this one.
Depends on: 1179060
Target Milestone: --- → FxOS-S8 (02Oct)
Status: NEW → ASSIGNED
Target Milestone: FxOS-S8 (02Oct) → FxOS-S9 (16Oct)
[Tracking Requested - why for this release]: This bug as part of New Security Model is not a 2.5 blocker as New Sec is not part of 2.5 now. Removing 2.5 blocker flag.
blocking-b2g: 2.5+ → ---
tracking-b2g: --- → backlog
Paul, B2G specific, can we close this one?
Flags: needinfo?(ptheriault)
The same as bug 1179060. Even if we plan to continue NSEC v2, signed package would no longer be an option. No reason to work on this bug.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.