Closed Bug 1529337 Opened 6 years ago Closed 2 years ago

Implement CSP 'script-src-elem' and 'script-src-attr' directives

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
105 Branch
Tracking Status
firefox105 --- fixed

People

(Reporter: dveditz, Assigned: tschuster)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

CSP 3 adds two new directives that supersede the script-src directive. These must be honored if present, with a fallback to script-src only if they are not.

script-src-elem specifically for <script> elements
https://w3c.github.io/webappsec-csp/#directive-script-src-elem

script-src-attr specifically for event handler attributes
https://w3c.github.io/webappsec-csp/#directive-script-src-attr

The major motivation for these appears to be so 'unsafe-inline' or 'unsafe-eval' can be allowed for the attribute one which can't support a nonce without blowing a hole everywhere else.

Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Blocks: 1742631
Webcompat Priority: --- → ?

The WebCompat issue got fixed, so removing the WebCompat priority flag as we have no further evidence of this breaking the real world.

Webcompat Priority: ? → ---
Assignee: nobody → tschuster
Attachment #9284022 - Attachment description: WIP: Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives → Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives. r?freddyb
Attachment #9284925 - Attachment description: Bug 1529337 - Use script-src-elem/attr as violatedDirective in CSP reports. r?freddyb → Bug 1529337 - Use script-src-elem/attr as effectiveDirective in CSP reports. r?freddyb
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f1489d7cf1a1 Implement CSP 'script-src-elem' and 'script-src-attr' directives. r=freddyb,webidl,smaug https://hg.mozilla.org/integration/autoland/rev/12cd014c46e8 Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb
See Also: → 1529338
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
Blocks: 1779443
Blocks: 1529338
See Also: 1529338

Backed out for awaiting decision on implementing other CSP 3 features

Backout link: https://hg.mozilla.org/integration/autoland/rev/a1bee21f1624f6fb220522f89a4d5cd38e0e6415

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 104 Branch → ---
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cb20674f1b07 Implement CSP 'script-src-elem' and 'script-src-attr' directives. r=freddyb,webidl,smaug,dveditz https://hg.mozilla.org/integration/autoland/rev/70b37777bc92 Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb,dveditz
Blocks: 1782513
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Regressions: 1782730
See Also: → 1789759
See Also: 1789759

FYI Docs work for this can be tracked here: https://github.com/mdn/content/issues/20878

In this case pretty much just browser compatibility update and addition to experimental features page.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: