Closed Bug 1386214 Opened 2 years ago Closed 9 months ago

Remove require-sri from the CSP-Module

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox68 --- fixed

People

(Reporter: jkt, Assigned: sstreich)

References

(Depends on 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-active][wptsync upstream])

Attachments

(1 file, 1 obsolete file)

Chrome intends to implement require-sri-for by default:
https://bugs.chromium.org/p/chromium/issues/detail?id=618924

We switched this off in Bug 1279420 via a pref as we were not sure about the standardisation and default

We should double check that we have tests for blocking import scripts and @import CSS and anything else that might make a network request before enabling.
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Status: ASSIGNED → NEW
Removing assign at the moment as I'm not working on this.
Assignee: jkt → nobody
Depends on: 1518740
Depends on: 1277495
Summary: Consider enabling require-sri-for by default → Consider enabling or removing require-sri-for by default
See Also: → 1530445
Assignee: nobody → streich.mobile
Status: NEW → ASSIGNED

As discussed with folks from Google, we are going to remove support for require-sri-for - please note that we never shipped it - implementation was only available behind a flag.

Was implemented in bug 1265318. Three patches to remove.


Removed Test for Require SRI


Delete unused Files

Attachment #9053583 - Attachment description: Bug 1386214 - Remove reqire-sri from the CSP-Module r=ckerschb → Bug 1386214 - Remove require-sri from the CSP-Module r=ckerschb
Attachment #9053546 - Attachment is obsolete: true
Keywords: dev-doc-needed
Summary: Consider enabling or removing require-sri-for by default → Remove require-sri from the CSP-Module

This change requires DOM peer review. Requested review from Andrew.

Keywords: checkin-needed
Keywords: checkin-needed

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3d66d37e72c3
Remove require-sri from the CSP-Module r=ckerschb,qdot

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/16160 for changes under testing/web-platform/tests
Whiteboard: [domsecurity-active] → [domsecurity-active][wptsync upstream]

Documentation updates:

You need to log in before you can comment on or make changes to this bug.