Closed Bug 1529337 Opened 6 years ago Closed 2 years ago

Implement CSP 'script-src-elem' and 'script-src-attr' directives

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox105 --- fixed

People

(Reporter: dveditz, Assigned: tschuster)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives. r?freddyb
(deleted), text/x-phabricator-request
Details
Bug 1529337 - Use script-src-elem/attr as effectiveDirective in CSP reports. r?freddyb
(deleted), text/x-phabricator-request
Details

CSP 3 adds two new directives that supersede the script-src directive. These must be honored if present, with a fallback to script-src only if they are not.

script-src-elem specifically for <script> elements
https://w3c.github.io/webappsec-csp/#directive-script-src-elem

script-src-attr specifically for event handler attributes
https://w3c.github.io/webappsec-csp/#directive-script-src-attr

The major motivation for these appears to be so 'unsafe-inline' or 'unsafe-eval' can be allowed for the attribute one which can't support a nonce without blowing a hole everywhere else.

Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Blocks: 1742631
Webcompat Priority: --- → ?

The WebCompat issue got fixed, so removing the WebCompat priority flag as we have no further evidence of this breaking the real world.

Webcompat Priority: ? → ---
Assignee: nobody → tschuster
Attachment #9284022 - Attachment description: WIP: Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives → Bug 1529337 - Implement CSP 'script-src-elem' and 'script-src-attr' directives. r?freddyb
Attachment #9284925 - Attachment description: Bug 1529337 - Use script-src-elem/attr as violatedDirective in CSP reports. r?freddyb → Bug 1529337 - Use script-src-elem/attr as effectiveDirective in CSP reports. r?freddyb
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f1489d7cf1a1 Implement CSP 'script-src-elem' and 'script-src-attr' directives. r=freddyb,webidl,smaug https://hg.mozilla.org/integration/autoland/rev/12cd014c46e8 Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb

https://hg.mozilla.org/mozilla-central/rev/f1489d7cf1a1
https://hg.mozilla.org/mozilla-central/rev/12cd014c46e8

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox104: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
Blocks: 1779443

Backed out for awaiting decision on implementing other CSP 3 features

Backout link: https://hg.mozilla.org/integration/autoland/rev/a1bee21f1624f6fb220522f89a4d5cd38e0e6415

Status: RESOLVED → REOPENED
status-firefox104: fixed → ---
Resolution: FIXED → ---
Target Milestone: 104 Branch → ---
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cb20674f1b07 Implement CSP 'script-src-elem' and 'script-src-attr' directives. r=freddyb,webidl,smaug,dveditz https://hg.mozilla.org/integration/autoland/rev/70b37777bc92 Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb,dveditz
Blocks: 1782513

https://hg.mozilla.org/mozilla-central/rev/cb20674f1b07
https://hg.mozilla.org/mozilla-central/rev/70b37777bc92

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
status-firefox105: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Regressions: 1782730

FYI Docs work for this can be tracked here: https://github.com/mdn/content/issues/20878

In this case pretty much just browser compatibility update and addition to experimental features page.

Keywords: dev-doc-neededdev-doc-complete
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: