Closed Bug 1765289 Opened 3 years ago Closed 2 years ago

Early Hints: Parse additional header fields for content-policy-security

Categories

(Core :: Networking: HTTP, task, P2)

task

Tracking

()

RESOLVED FIXED
110 Branch
Tracking Status
firefox110 --- fixed

People

(Reporter: manuel, Assigned: acreskey)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file, 1 obsolete file)

When the server already responses with additional headers about CSP or referrer-policy, we should respect it and restrict the outgoing requests accordingly. Currently only the referrerpolicy passed in the Link header directly is parsed (e.g. via Link: <style.css>; rel=preload; as=style; referrerpolicy=no-referrer). There is no link attribute for CSP in the link spec, so it's only possible to specify them via http-header for early hint requests.

This is not critical for the first patch, because only same-origin requests are made for now (and early hints are disabled by default for now). It becomes more important when preloading cross origin requests (Bug 1744822)

Severity: -- → N/A
Priority: -- → P2
Whiteboard: [necko-triaged]
Assignee: nobody → acreskey
Status: NEW → ASSIGNED
See Also: → 1799166

I've moved the refererre-policy parsing and application into a separate issue, bug 1799166

Summary: Early Hints: Parse additional header fields for content-policy-security and referrer-policy → Early Hints: Parse additional header fields for content-policy-security
Attachment #9301827 - Attachment is obsolete: true
Attachment #9301827 - Attachment is obsolete: false

Comment on attachment 9301827 [details]
wip Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security and referrer-policy

Revision D161182 was moved to bug 1799166. Setting attachment 9301827 [details] to obsolete.

Attachment #9301827 - Attachment is obsolete: true

We're also going to cover the scenario described by :manuel here.

Server response:

    103 Early Hints
    Content-Security-Policy: style-src: https://example.com/
    Link: https://example.com/style.css; rel=preload; as=style referrerpolicy=no-referrer

    200 OK
    Content-Security-Policy: style-src: https://example.com/ # <-- Two test cases, one with this line, one without

Response when requesting the resource https://example.com/style.css

    301 Moved Permanently
    Location: https://example.net/style.css
Attachment #9303555 - Attachment description: WIP: Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security → Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security
Attachment #9303555 - Attachment description: Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security → Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security r=necko-reviewers, freddyb!
Attachment #9303555 - Attachment description: Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security r=necko-reviewers, freddyb! → Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security
Attachment #9303555 - Attachment description: Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security → Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security r=necko-reviewers, ckerschb!
Attachment #9303555 - Attachment description: Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security r=necko-reviewers, ckerschb! → Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security r=#necko-reviewers,ckerschb!
See Also: → 1806403
Pushed by acreskey@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4327c23b4f93 Early Hints: Parse additional header fields for content-policy-security r=necko-reviewers,kershaw,ckerschb,asuth
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: