Closed Bug 1277248 Opened 4 years ago Closed 3 years ago

Add test to ensure that CSP require-sri-for blocks <svg:script>

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: freddyb, Assigned: freddyb)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

Attached file test_svg.php
svg:script doesn't technically know about Subresource Integrity, according to https://github.com/w3c/webappsec/issues/396

This bug is to investigate if this is a potential CSP |require-sri-for| bypass and add a test case to ensure it isn't.

But so far, my local testing can not make svg:script work with the CSP set.

I have a naive PHP test attached (yet to become a mochitest).
This /could/ be a good first bug.
Summary: SRI: <svg:script> is supposedly a special snowflake and needs its own SRI support → Add test to ensure that CSP require-sri-for blocks <svg:script>
Whiteboard: [domsecurity-backlog]
Priority: -- → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]
Assignee: nobody → fbraun
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog3] → [domsecurity-active]
Comment on attachment 8790639 [details]
Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts

https://reviewboard.mozilla.org/r/78352/#review76936

lgtm,r=me and thanks!
Attachment #8790639 - Flags: review?(ckerschb) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d434f479d145
Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d434f479d145
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.