ReferrerPolicy should not be delivered through CSPRO

RESOLVED FIXED in Firefox 50

Status

()

Core
DOM: Security
P1
normal
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: tnguyen, Assigned: ckerschb)

Tracking

(Blocks: 1 bug)

unspecified
mozilla50
Points:
---

Firefox Tracking Flags

(firefox50 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

2 years ago
In [1], should check report-only before adding referrerPolicy (only add in case non-report-only policy)
[1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPContext.cpp#335
(Assignee)

Comment 1

2 years ago
Thanks Thomas - please also add a test to make sure we never regress that.
Whiteboard: [domsecurity-active]
(Assignee)

Updated

2 years ago
Whiteboard: [domsecurity-active] → [domsecurity-backlog]
(Assignee)

Updated

2 years ago
Blocks: 1231788
(Assignee)

Updated

a year ago
Priority: -- → P1
(Assignee)

Updated

a year ago
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog] → [domsecurity-active]
(Assignee)

Comment 2

a year ago
Created attachment 8764185 [details] [diff] [review]
bug_1268327_referrer_policy_ro.patch

https://treeherder.mozilla.org/#/jobs?repo=try&revision=5caf96a61a42
Attachment #8764185 - Flags: review?(tnguyen)
(Reporter)

Comment 3

a year ago
Comment on attachment 8764185 [details] [diff] [review]
bug_1268327_referrer_policy_ro.patch

Review of attachment 8764185 [details] [diff] [review]:
-----------------------------------------------------------------

Lgtm.
Could we add a case that both a Content-Security-Policy-Report-Only header and a Content-Security-Policy header are present?
Attachment #8764185 - Flags: review?(tnguyen) → review+
(Assignee)

Comment 4

a year ago
Created attachment 8764217 [details] [diff] [review]
bug_1268327_referrer_policy_ro.patch

(In reply to Thomas Nguyen[:tnguyen] from comment #3)
> Could we add a case that both a Content-Security-Policy-Report-Only header
> and a Content-Security-Policy header are present?

Sure can, added another test that delivers a CSP and a CSPRO.
Carrying over r+!
TRY looks good, this is ready to land!
Attachment #8764185 - Attachment is obsolete: true
Attachment #8764217 - Flags: review+
(Assignee)

Updated

a year ago
Keywords: checkin-needed

Comment 5

a year ago
bugherderlanding
https://hg.mozilla.org/integration/mozilla-inbound/rev/0bed705c1430
Keywords: checkin-needed

Comment 6

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0bed705c1430
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox50: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.