Closed Bug 1529337 Opened 4 years ago Closed 17 days ago

Implement CSP 'script-src-elem' and 'script-src-attr' directives

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
105 Branch
Tracking Status
firefox105 --- fixed

People

(Reporter: dveditz, Assigned: tschuster)

References

(Blocks 3 open bugs)

Details

(Keywords: dev-doc-needed, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

CSP 3 adds two new directives that supersede the script-src directive. These must be honored if present, with a fallback to script-src only if they are not.

script-src-elem specifically for <script> elements
https://w3c.github.io/webappsec-csp/#directive-script-src-elem

script-src-attr specifically for event handler attributes
https://w3c.github.io/webappsec-csp/#directive-script-src-attr

The major motivation for these appears to be so 'unsafe-inline' or 'unsafe-eval' can be allowed for the attribute one which can't support a nonce without blowing a hole everywhere else.

Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Blocks: 1742631
Webcompat Priority: --- → ?

The WebCompat issue got fixed, so removing the WebCompat priority flag as we have no further evidence of this breaking the real world.

Webcompat Priority: ? → ---
Assignee: nobody → tschuster
Attachment #9284022 - Attachment description: WIP: Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives → Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives. r?freddyb
Attachment #9284925 - Attachment description: Bug 1529337 - Use script-src-elem/attr as violatedDirective in CSP reports. r?freddyb → Bug 1529337 - Use script-src-elem/attr as effectiveDirective in CSP reports. r?freddyb
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f1489d7cf1a1
Implement CSP 'script-src-elem' and 'script-src-attr' directives. r=freddyb,webidl,smaug
https://hg.mozilla.org/integration/autoland/rev/12cd014c46e8
Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb
See Also: → 1529338
Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
Blocks: 1779443
Blocks: 1529338
See Also: 1529338

Backed out for awaiting decision on implementing other CSP 3 features

Backout link: https://hg.mozilla.org/integration/autoland/rev/a1bee21f1624f6fb220522f89a4d5cd38e0e6415

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 104 Branch → ---
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cb20674f1b07
Implement CSP 'script-src-elem' and 'script-src-attr' directives. r=freddyb,webidl,smaug,dveditz
https://hg.mozilla.org/integration/autoland/rev/70b37777bc92
Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb,dveditz
Blocks: 1782513
Status: REOPENED → RESOLVED
Closed: 1 month ago17 days ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Regressions: 1782730
You need to log in before you can comment on or make changes to this bug.