Closed Bug 1277557 Opened 8 years ago Closed 8 years ago

CSP require-sri-for does not block when CSP is in <meta> tag

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- fixed

People

(Reporter: freddy, Assigned: ckerschb)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

bug_1277557_csp_sri_meta.patch
2.23 KB, patch
francois
: review+
Details | Diff | Splinter Review
bug_1277557_csp_sri_meta_tests.patch
5.69 KB, patch
francois
: review+
Details | Diff | Splinter Review 
This needs investigation and I have yet to figure out why.
It doesn't seem to be related to the loadType, but I might be wrong :)
I suppose in ::OnStreamComplete() we have to check if the contentpolicyType is TYPE_SCRIPT_PRELOAD, and if that is the case then we have to query and consult the preloadCSP |principal->GetPreloadCsp()| instead of the actual CSP. Oh joy!
Whiteboard: [domsecurity-backlog]
Blocks: csp-w3c-3
Blocks: SRI
Priority: -- → P1
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog] → [domsecurity-active]

        Attachment #8767150 -
        Flags: review?(francois)

        Attachment #8767150 -
        Flags: review?(francois) → review+

        Attachment #8767152 -
        Flags: review?(francois) → review+

    
    

    
  
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2373b4f2f321
CSP require-sri-for does not block when CSP is in meta tag r=francois
https://hg.mozilla.org/integration/mozilla-inbound/rev/fe2cd5c40e73
Test require-sri-for in meta tag r=francois

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2373b4f2f321
https://hg.mozilla.org/mozilla-central/rev/fe2cd5c40e73
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox50:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: