Open
Bug 1457204
Opened 7 years ago
Updated 9 months ago
CSP: Implement "resource hint" blocking (previously prefetch-src)
Categories
(Core :: DOM: Security, task, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: yoav, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
(Keywords: dev-doc-needed, Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Steps to reproduce:
In order to block potential data leaks through prefetch requests, it was decided [1] that a `prefetch-src`CSP directive would be added and control such requests, and that prefetch requests would have their own `Request.initiator` and an empty string destination[2].
[1] https://github.com/w3c/webappsec-csp/issues/107
[2] https://github.com/whatwg/fetch/pull/659
Actual results:
Going to http://w3c-test.org/content-security-policy/prefetch-src/ the tests fail
Expected results:
They should pass
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Updated•5 years ago
|
Keywords: dev-doc-needed
Updated•5 years ago
|
Type: defect → task
Version: 47 Branch → unspecified
Updated•2 years ago
|
Severity: normal → S3
Comment 1•1 year ago
|
||
FWIW it looks like the spec no longer suggests using prefetch-src
. If you follow the Chromium implementation bug they used least restrictive - which is in spec here: https://w3c.github.io/webappsec-csp/#does-resource-hint-violate-policy
Updated•10 months ago
|
Summary: Implement `prefetch-src` CSP directive → CSP: Implement "resource hint" blocking (previously prefetch-src)
Updated•10 months ago
|
Updated•10 months ago
|
See Also: → https://github.com/w3c/webappsec-csp/pull/582
Comment 2•9 months ago
|
||
Depends on D197153
Updated•9 months ago
|
See Also: → https://github.com/w3c/webappsec-csp/issues/633
You need to log in
before you can comment on or make changes to this bug.
Description
•