Closed Bug 1984973 Opened 4 months ago Closed 3 months ago

Enable Integrity-Policy header by default on release

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
145 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 145+
firefox145 --- fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete)

Attachments

(1 file)

Bug 1984973 - Enable Integrity-Policy header by default on release. r?simonf
48 bytes, text/x-phabricator-request
Details | Review

It's currently only enabled in Nightly.

Assignee: nobody → tschuster

Seems like Chrome and Safari are shipping/shipped this. We probably want to do the same now. This means we sadly won't have support for the Reporting API.

https://hg.mozilla.org/mozilla-central/rev/15939356d7a9

Status: NEW → RESOLVED
Closed: 3 months ago
status-firefox145: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 145 Branch

Tom, do we want to mention that change into our release notes? Thanks

Flags: needinfo?(tschuster)

Release Note Request (optional, but appreciated)
[Why is this notable]: A new HTTP security header.
[Affects Firefox for Android]: yes
[Suggested wording]: Firefox now partially supports the new Integrity-Policy header, which is used to enforce subresource integrity for scripts.
[Links (documentation, blog post, etc)]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy

relnote-firefox: --- → ?
Flags: needinfo?(tschuster)

Note added to our nightly release notes with this wording:

Firefox now partially supports the new Integrity-Policy header, which is used to enforce sub-resource integrity for scripts.

I am keeping the relnote-firefox set to ? until we integrate this note into our final 145 release notes, thanks.

Keywords: dev-doc-needed
QA Whiteboard: [qa-triage-done-c146/b145]

FF145 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/41511

Hi Tom, Just to be precise, can you please confirm:

  • This only enables the headers for use with scripts (not styles)
  • Support is partial in that the reporting API is not integrated: reporting endpoints are ignored and violations are logged to console.
Flags: needinfo?(tschuster)

This only enables the headers for use with scripts (not styles)

Correct only scripts. (Style isn't supported anywhere by default, controlled by security.integrity_policy.stylesheet.enabled)

Support is partial in that the reporting API is not integrated: reporting endpoints are ignored and violations are logged to console.

Yes. Unfortunately the only way to know if something was blocked is by looking at the web console.

Flags: needinfo?(tschuster)
Keywords: dev-doc-neededdev-doc-complete

Added to our final 145 release notes.

relnote-firefox: ?145+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: