Open Bug 1655030 Opened 3 months ago Updated 3 months ago

Fix and update internal CSP types to expose channels started by rel=preload

Categories

(Core :: DOM: Security, task, P3)

task

Tracking

()

People

(Reporter: mayhemer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog1])

To recognize channels used for preload, the best solution is to fix CSP types, as mentioned in Bug 1624368 Comment 13. We are currently using them for identifying speculative loads using a suffix _PRELOAD, which collides with the actual rel=preload feature.

To make it more confusing, rel=preload is using speculative loading to start a preload. So we should have 3 CSP types for each resource type: regular, SPECULATIVE, _PRELOAD_SPECULATIVE. Whether to use only a _PRELOAD suffix or not is up to someone from the DOM team keeping the hand over these types.

Note that the _PRELOAD types need to be listed in nsContentUtils::IsPreloadType. For a complete list of changes possibly needed this patch may be a guide.

So, the work I can see here:

  • rename the existing nsIContentPolicy::TYPE_INTERNAL_*_PRELOAD to nsIContentPolicy::TYPE_INTERNAL_*_SPECULATIVE
  • add new nsIContentPolicy::TYPE_INTERNAL_*_PRELOAD (_SPECULATIVE_PRELOAD?) with new values, treat them as "preloads" in nsContentUtils::IsPreloadType as well
  • set the CSP type of channels open by rel=preload to _PRELOAD

Is it issue blocking the release of rel=preload? If it is, it should have an assignee.

Flags: needinfo?(honzab.moz)

(In reply to Nhi Nguyen (:nhi) from comment #2)

Is it issue blocking the release of rel=preload? If it is, it should have an assignee.

I don't believe it does block preload. This only about exposing an information in dev tools, nothing more. It's nice to have only.

Flags: needinfo?(honzab.moz)
Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.