Closed Bug 1935434 Opened 1 year ago Closed 8 months ago

Discard malformed trusted-type policy name in CSP directive instead of ignoring the whole CSP directive

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox138 --- fixed

People

(Reporter: mbrodesser, Assigned: fredw)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog], [wptsync upstream])

Attachments

(1 file)

Bug 1935434 Implement forgiving parsing for trusted-types CSP directive. r=smaug
48 bytes, text/x-phabricator-request
Details | Review

Thanks for filing. Marking as an enhancement, as long as TT is disabled.

Severity: -- → S3
Type: defect → enhancement
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
Depends on: 1956781

Currently, we just discard the whole directive if an invalid token is
found. With this patch, we instead ignore such a token. Also improves
tests in should-trusted-type-policy-creation-be-blocked-by-csp-002.html
so that we really check that the original trusted-types directive is
preserved after serialization.

See https://github.com/w3c/webappsec-csp/pull/363#issuecomment-2160193577

Assignee: nobody → fwang
Status: NEW → ASSIGNED
Blocks: 1942306
Pushed by fwang@igalia.com: https://hg.mozilla.org/integration/autoland/rev/3a01a7335e0b Implement forgiving parsing for trusted-types CSP directive. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/51691 for changes under testing/web-platform/tests
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog], [wptsync upstream]

Backed out for causing GTest failures

Backout link

Push with failures

Failure log

Flags: needinfo?(fwang)
Upstream PR was closed without merging

These GTest are not up-to-date now that we do forgiving parsing. Updated in the last patch.

Flags: needinfo?(fwang)
Pushed by fwang@igalia.com: https://hg.mozilla.org/integration/autoland/rev/d53513a85e73 Implement forgiving parsing for trusted-types CSP directive. r=smaug

Backed out for causing GTest failures

Backout link

Push with failures

Failure log

Flags: needinfo?(fwang)
Upstream PR was closed without merging
Pushed by fwang@igalia.com: https://hg.mozilla.org/integration/autoland/rev/f27925f3d6f7 Implement forgiving parsing for trusted-types CSP directive. r=smaug
Flags: needinfo?(fwang)

https://hg.mozilla.org/mozilla-central/rev/f27925f3d6f7

Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox138: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: