Closed
Bug 1779369
Opened 2 years ago
Closed 2 years ago
Report correct effective directive for everything
Categories
(Core :: DOM: Security, task, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
108 Branch
Tracking | Status | |
---|---|---|
firefox108 | --- | fixed |
People
(Reporter: tschuster, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
In CSP 3.0 when reporting a failed directive the effective directive should not be name of the directive in the user provided CSP, but basically the first directive that would have been used without fallbacks.
For example in bug 1529337 we I implemented this behavior for script-src-elem/attr. So even if the CSP header only contains script-src 'none'
, we would still report an effective directive of "script-src-elem" for every <script> tag that failed to execute and not "script-src".
I think bug 1192684 also had patches for this that got abandoned.
Updated•2 years ago
|
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Assignee | ||
Comment 1•2 years ago
|
||
It would be good to finish this in the same cycle as bug 1192684, so that effective-directive in the CSP report is correct from the beginning.
Comment 2•2 years ago
|
||
agreed. does this seam feasible to you?
Assignee | ||
Comment 3•2 years ago
|
||
Depends on D161293
Updated•2 years ago
|
Assignee: nobody → tschuster
Status: NEW → ASSIGNED
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f50529f68f77 Report correct effective directive for everything. r=freddyb
Comment 5•2 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•