Closed Bug 1277248 Opened 8 years ago Closed 8 years ago

Add test to ensure that CSP require-sri-for blocks <svg:script>

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla51

Tracking Flags:

Tracking

Status

firefox51

---

fixed

People

(Reporter: freddy, Assigned: freddy)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

test_svg.php 8 years ago Frederik Braun [:freddy] (deleted), application/x-php		Details
Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts 8 years ago Frederik Braun [:freddy] (deleted), text/x-review-board-request	ckerschb : review+	Details

Frederik Braun [:freddy]

Assignee

Description

•

8 years ago

Attached file test_svg.php (deleted) — Details

svg:script doesn't technically know about Subresource Integrity, according to https://github.com/w3c/webappsec/issues/396 This bug is to investigate if this is a potential CSP |require-sri-for| bypass and add a test case to ensure it isn't. But so far, my local testing can not make svg:script work with the CSP set. I have a naive PHP test attached (yet to become a mochitest).

Frederik Braun [:freddy]

Assignee

Comment 1

•

8 years ago

This /could/ be a good first bug.

Summary: SRI: <svg:script> is supposedly a special snowflake and needs its own SRI support → Add test to ensure that CSP require-sri-for blocks <svg:script>

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Whiteboard: [domsecurity-backlog]

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Blocks: csp-w3c-3

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Blocks: SRI

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Priority: -- → P3

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]

Comment hidden (mozreview-request)

Frederik Braun [:freddy]

Assignee

Updated

•

8 years ago

Assignee: nobody → fbraun

Status: NEW → ASSIGNED

Whiteboard: [domsecurity-backlog3] → [domsecurity-active]

Christoph Kerschbaumer [:ckerschb]

Comment 3

•

8 years ago

mozreview-review

Comment on attachment 8790639 [details] Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts https://reviewboard.mozilla.org/r/78352/#review76936 lgtm,r=me and thanks!

Attachment #8790639 - Flags: review?(ckerschb) → review+

Frederik Braun [:freddy]

Assignee

Updated

•

8 years ago

Keywords: checkin-needed

Pulsebot

Comment 4

•

8 years ago

Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d434f479d145 Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb

Keywords: checkin-needed

Carsten Book [:Tomcat]

Comment 5

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/d434f479d145

Status: ASSIGNED → RESOLVED

Closed: 8 years ago

status-firefox51: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla51

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Add test to ensure that CSP require-sri-for blocks <svg:script>

Categories

(Core :: DOM: Security, defect, P3)

Tracking

()

People

(Reporter: freddy, Assigned: freddy)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Updated

Updated

Updated

Updated

Comment 2

Updated

Comment 3

Updated

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type