Closed Bug 1202027 Opened 4 years ago Closed 4 years ago

Make SRI require CORS loads for cross-origin resources

Categories

(Core :: DOM: Security, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox43 --- fixed

People

(Reporter: francois, Assigned: francois)

References

Details

Attachments

(1 file)

The SRI spec recently changed to "fail closed" when cross-origin loads request SRI protection without specifying the crossorigin attribute: https://github.com/w3c/webappsec/pull/437
Bug 1202027 - Make SRI require CORS loads for cross-origin resources. r?ckerschb
Attachment #8657374 - Flags: review?(mozilla)
Comment on attachment 8657374 [details]
MozReview Request: Bug 1202027 - Make SRI require CORS loads for cross-origin resources. r?ckerschb

https://reviewboard.mozilla.org/r/18367/#review16603

nice!

::: dom/security/SRICheck.cpp:278
(Diff revision 1)
> -    return NS_OK; // ignore non-CORS resources for forward-compatibility
> +    return NS_ERROR_SRI_NOT_ELIGIBLE;

Potentially you wanna use SRILOG before returning, but up to you.
Attachment #8657374 - Flags: review?(mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/e7bb8fc8b53b
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.