Closed Bug 1583489 Opened 2 years ago Closed 2 years ago

TIghten CSP assertion for about: pages

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Now that we are getting close that all about: pages ship with a CSP we should tighten the CSP. E.g. Bug 1499354 will add object-src 'none' so we should also include that in the assertion that all about: pages have object-src 'none'. Further we can assert that no policy should include 'unsafe-inline'.

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ff8a499e1ea4
TIghten CSP assertion for about: pages. r=jkt

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.