Consider enabling require-sri-for by default

NEW
Unassigned

Status

()

Core
DOM: Security
P2
normal
10 months ago
4 months ago

People

(Reporter: jkt, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-active])

(Reporter)

Description

10 months ago
Chrome intends to implement require-sri-for by default:
https://bugs.chromium.org/p/chromium/issues/detail?id=618924

We switched this off in Bug 1279420 via a pref as we were not sure about the standardisation and default

We should double check that we have tests for blocking import scripts and @import CSS and anything else that might make a network request before enabling.
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
(Reporter)

Updated

4 months ago
Status: ASSIGNED → NEW
(Reporter)

Comment 1

4 months ago
Removing assign at the moment as I'm not working on this.
Assignee: jkt → nobody
You need to log in before you can comment on or make changes to this bug.