Open Bug 1457204 Opened 4 years ago Updated 6 months ago

Implement `prefetch-src` CSP directive

Tracking

()

Status:

NEW

People

(Reporter: yoav, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed, Whiteboard: [domsecurity-backlog2])

Yoav Weiss

Reporter

Description

•

4 years ago

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Steps to reproduce:

In order to block potential data leaks through prefetch requests, it was decided [1] that a `prefetch-src`CSP directive would be added and control such requests, and that prefetch requests would have their own `Request.initiator` and an empty string destination[2].

[1] https://github.com/w3c/webappsec-csp/issues/107
[2] https://github.com/whatwg/fetch/pull/659




Actual results:

Going to http://w3c-test.org/content-security-policy/prefetch-src/ the tests fail


Expected results:

They should pass

Ben Kelly [:bkelly, not reviewing]

Updated

•

4 years ago

Component: Untriaged → DOM: Security

Product: Firefox → Core

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Priority: -- → P3

Whiteboard: [domsecurity-backlog2]

Florian Scholz (Open Web Docs)

Updated

•

3 years ago

Keywords: dev-doc-needed

Sylvestre Ledru [:Sylvestre]

Updated

•

3 years ago

Type: defect → task

Version: 47 Branch → unspecified

Brian Birtles (:birtles)

Updated

•

1 year ago

Updated

•

6 months ago

Blocks: csp-w3c-3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Implement `prefetch-src` CSP directive

Categories

(Core :: DOM: Security, task, P3)

Tracking

()

People

(Reporter: yoav, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed, Whiteboard: [domsecurity-backlog2])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Updated

Updated

Updated