Early Hints: Parse additional header fields for content-policy-security
Categories
(Core :: Networking: HTTP, task, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox110 | --- | fixed |
People
(Reporter: manuel, Assigned: acreskey)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file, 1 obsolete file)
When the server already responses with additional headers about CSP or referrer-policy, we should respect it and restrict the outgoing requests accordingly. Currently only the referrerpolicy passed in the Link header directly is parsed (e.g. via Link: <style.css>; rel=preload; as=style; referrerpolicy=no-referrer
). There is no link attribute for CSP in the link spec, so it's only possible to specify them via http-header for early hint requests.
This is not critical for the first patch, because only same-origin requests are made for now (and early hints are disabled by default for now). It becomes more important when preloading cross origin requests (Bug 1744822)
Updated•3 years ago
|
Assignee | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
I've moved the refererre-policy parsing and application into a separate issue, bug 1799166
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 3•2 years ago
|
||
Comment on attachment 9301827 [details]
wip Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security and referrer-policy
Revision D161182 was moved to bug 1799166. Setting attachment 9301827 [details] to obsolete.
Assignee | ||
Comment 4•2 years ago
|
||
Assignee | ||
Comment 5•2 years ago
|
||
We're also going to cover the scenario described by :manuel here.
Server response:
103 Early Hints
Content-Security-Policy: style-src: https://example.com/
Link: https://example.com/style.css; rel=preload; as=style referrerpolicy=no-referrer
200 OK
Content-Security-Policy: style-src: https://example.com/ # <-- Two test cases, one with this line, one without
Response when requesting the resource https://example.com/style.css
301 Moved Permanently
Location: https://example.net/style.css
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 7•2 years ago
|
||
bugherder |
Description
•