Implement CSP 'script-src-elem' and 'script-src-attr' directives
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox105 | --- | fixed |
People
(Reporter: dveditz, Assigned: tschuster)
References
(Blocks 2 open bugs)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
CSP 3 adds two new directives that supersede the script-src directive. These must be honored if present, with a fallback to script-src only if they are not.
script-src-elem specifically for <script> elements
https://w3c.github.io/webappsec-csp/#directive-script-src-elem
script-src-attr specifically for event handler attributes
https://w3c.github.io/webappsec-csp/#directive-script-src-attr
The major motivation for these appears to be so 'unsafe-inline' or 'unsafe-eval' can be allowed for the attribute one which can't support a nonce without blowing a hole everywhere else.
Updated•6 years ago
|
Reporter | ||
Updated•6 years ago
|
Comment hidden (advocacy) |
Comment hidden (advocacy) |
Updated•3 years ago
|
Updated•3 years ago
|
Comment 3•3 years ago
|
||
The WebCompat issue got fixed, so removing the WebCompat priority flag as we have no further evidence of this breaking the real world.
Assignee | ||
Comment 4•2 years ago
|
||
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
Depends on D150965
Updated•2 years ago
|
Comment 7•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f1489d7cf1a1
https://hg.mozilla.org/mozilla-central/rev/12cd014c46e8
Assignee | ||
Updated•2 years ago
|
Comment 8•2 years ago
•
|
||
Backed out for awaiting decision on implementing other CSP 3 features
Backout link: https://hg.mozilla.org/integration/autoland/rev/a1bee21f1624f6fb220522f89a4d5cd38e0e6415
Comment 10•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cb20674f1b07
https://hg.mozilla.org/mozilla-central/rev/70b37777bc92
Comment 11•2 years ago
|
||
FYI Docs work for this can be tracked here: https://github.com/mdn/content/issues/20878
In this case pretty much just browser compatibility update and addition to experimental features page.
Description
•