Open Bug 1457204 Opened 6 years ago Updated 2 months ago

CSP: Implement "resource hint" blocking (previously prefetch-src)


(Core :: DOM: Security, task, P3)





(Reporter: yoav, Unassigned)


(Depends on 1 open bug, Blocks 1 open bug, )


(Keywords: dev-doc-needed, Whiteboard: [domsecurity-backlog2])


(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Steps to reproduce:

In order to block potential data leaks through prefetch requests, it was decided [1] that a `prefetch-src`CSP directive would be added and control such requests, and that prefetch requests would have their own `Request.initiator` and an empty string destination[2].


Actual results:

Going to the tests fail

Expected results:

They should pass
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Type: defect → task
Version: 47 Branch → unspecified
Blocks: csp-w3c-3
Severity: normal → S3

FWIW it looks like the spec no longer suggests using prefetch-src. If you follow the Chromium implementation bug they used least restrictive - which is in spec here:

Summary: Implement `prefetch-src` CSP directive → CSP: Implement "resource hint" blocking (previously prefetch-src)
Depends on: 1871560
You need to log in before you can comment on or make changes to this bug.