2008916 - Report Integrity-Policy violations using the Reporting API

Status: RESOLVED FIXED

(Core :: DOM: Security, task)

Description

[Tom Schuster]

When we initially landed the Integrity-Policy we weren't able to add violation reports because the Reporting API was/is disabled by default. It seems like we might soon have the Reporting API enabled by default so we should also use it for the Integrity-Policy.

Comment 1

[Tom Schuster]

Attachment: Bug 2008916 - Add IntegrityViolationReportBody skeleton. r?sfarre

Comment 2

[Tom Schuster]

Attachment: Bug 2008916 - Report Integrity-Policy violations. r?sfarre

Comment 3

[Tom Schuster]

Attachment: Bug 2008916 - Update WPT. r?sfarre

Comment 4

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/4a02bb1f4488
https://hg.mozilla.org/integration/autoland/rev/2a9f84cf88ae
Add IntegrityViolationReportBody skeleton. r=sfarre,webidl,smaug
https://github.com/mozilla-firefox/firefox/commit/520858277aca
https://hg.mozilla.org/integration/autoland/rev/455b002c893d
Report Integrity-Policy violations. r=sfarre
https://github.com/mozilla-firefox/firefox/commit/8df8a9ddbec9
https://hg.mozilla.org/integration/autoland/rev/785785cec022
Update WPT. r=sfarre

Comment 5

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/2a9f84cf88ae
https://hg.mozilla.org/mozilla-central/rev/455b002c893d
https://hg.mozilla.org/mozilla-central/rev/785785cec022

Comment 6

[Hamish Willee]

FF149 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/43199

FWIW Tom, the implementation here doesn't quite match the spec: https://w3c.github.io/webappsec-subresource-integrity/#report-violations
The code defines the report body as a ReportBody derived interface with toJson() while the spec intent is that this is a dictionary. You're probably aware and I am just missing something. The request for info is so you see this, in case it matters.

Comment 7

[Tom Schuster]

(In reply to Hamish Willee from comment #6)

FF149 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/43199

FWIW Tom, the implementation here doesn't quite match the spec: https://w3c.github.io/webappsec-subresource-integrity/#report-violations
The code defines the report body as a ReportBody derived interface with toJson() while the spec intent is that this is a dictionary. You're probably aware and I am just missing something. The request for info is so you see this, in case it matters.

Thank Hamish for working on this. We are are aware of the dictionary discrepancy: bug 1976189 comment 2.

Comment 8

[Hamish Willee]

Thanks! In no way on you but this is so frustrating. I'm currently moving all the MDN docs to dictionaries on the assumption that this is happen - at suggestion of compat team. We're very much in an intermediate state ... and have been for over a year.