Closed Bug 1277248 Opened 4 years ago Closed 3 years ago
Add test to ensure that CSP require-sri-for blocks <svg:script>
svg:script doesn't technically know about Subresource Integrity, according to https://github.com/w3c/webappsec/issues/396 This bug is to investigate if this is a potential CSP |require-sri-for| bypass and add a test case to ensure it isn't. But so far, my local testing can not make svg:script work with the CSP set. I have a naive PHP test attached (yet to become a mochitest).
This /could/ be a good first bug.
Summary: SRI: <svg:script> is supposedly a special snowflake and needs its own SRI support → Add test to ensure that CSP require-sri-for blocks <svg:script>
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]
Assignee: nobody → fbraun
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog3] → [domsecurity-active]
Comment on attachment 8790639 [details] Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts https://reviewboard.mozilla.org/r/78352/#review76936 lgtm,r=me and thanks!
Attachment #8790639 - Flags: review?(ckerschb) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d434f479d145 Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb
You need to log in before you can comment on or make changes to this bug.