Open Bug 1343950 Opened 6 years ago Updated 1 month ago

Content Security Policy (CSP) implement unsafe-hashes

Categories

(Core :: DOM: Security, task, P3)

task

Tracking

()

People

(Reporter: luke.semerau, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: dev-doc-needed, parity-chrome, Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

Example HTML:
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'sha256-XTqNqFSUlZHAW7f/OGNYSOEzxKhjdAAGMXoid2VEbJk=';">
</head>
<body>
<button onclick="alert('hi')">click me to say hi</button>
</body>
</html>


Click on button.


Actual results:

console:

 Content Security Policy: Couldn’t parse invalid host 'unsafe-hashed-attributes'

 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'sha256-XTqNqFSUlZHAW7f/OGNYSOEzxKhjdAAGMXoid2VEbJk='”). Source: onclick attribute on BUTTON element.


Expected results:

Alert with 'hi' should shown.

https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Duplicate of this bug: 1479406

This seems to have been renamed to 'unsafe-hashes'

Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Content Security Policy (CSP) implement unsafe-hashed-attributes → Content Security Policy (CSP) implement unsafe-hashes
Type: defect → task
You need to log in before you can comment on or make changes to this bug.