Early Hints: Parse additional header fields for content-policy-security
Categories
(Core :: Networking: HTTP, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox110 | --- | fixed |
People
(Reporter: manuel, Assigned: acreskey)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file, 1 obsolete file)
When the server already responses with additional headers about CSP or referrer-policy, we should respect it and restrict the outgoing requests accordingly. Currently only the referrerpolicy passed in the Link header directly is parsed (e.g. via Link: <style.css>; rel=preload; as=style; referrerpolicy=no-referrer). There is no link attribute for CSP in the link spec, so it's only possible to specify them via http-header for early hint requests.
This is not critical for the first patch, because only same-origin requests are made for now (and early hints are disabled by default for now). It becomes more important when preloading cross origin requests (Bug 1744822)
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•2 years ago
|
||
I've moved the refererre-policy parsing and application into a separate issue, bug 1799166
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Comment on attachment 9301827 [details]
wip Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security and referrer-policy
Revision D161182 was moved to bug 1799166. Setting attachment 9301827 [details] to obsolete.
|
|
Assignee | |
Comment 4•2 years ago
|
||
|
|
Assignee | |
Comment 5•1 year ago
|
||
We're also going to cover the scenario described by :manuel here.
Server response:
103 Early Hints
Content-Security-Policy: style-src: https://example.com/
Link: https://example.com/style.css; rel=preload; as=style referrerpolicy=no-referrer
200 OK
Content-Security-Policy: style-src: https://example.com/ # <-- Two test cases, one with this line, one without
Response when requesting the resource https://example.com/style.css
301 Moved Permanently
Location: https://example.net/style.css
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Pushed by acreskey@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4327c23b4f93 Early Hints: Parse additional header fields for content-policy-security r=necko-reviewers,kershaw,ckerschb,asuth
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
Description
•