Closed
Bug 662227
Opened 14 years ago
Closed 7 years ago
Load script files only with a Content-Type of application/javascript or application/json when CSP is enabled
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: bugzilla, Assigned: bsterne)
References
Details
Expected Result:
Firefox should not load script file if it's Content-Type is not allowed by CSP spec.
Actual Result:
Current Firefox will load script file with any content-type.
What CSP spec says:
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-execution-restrictions
User-agents must execute all external scripts whose src attribute refers to a permitted source and which are served with a Content-Type of application/javascript or application/json.
Comment 1•14 years ago
|
||
bsterne?
Component: DOM: Core & HTML → Security
QA Contact: general → toolkit
Assignee | ||
Comment 2•14 years ago
|
||
I'll take this. dynamis, thanks for reporting, but I would encourage you to hold off on filing not-implemented-per-spec bugs just yet. I only say this, as I've seen you CC yourself on a number of CSP implementation bugs and I want to save you the time.
The "spec" is still in flux and there are a number of known disparities between the Gecko implementation and what's in the "spec", which is still in Unofficial Draft status. I do appreciate you filing this bug, though.
Incidentally, we may want to expand the list of allowed MIME types beyond the two listed here.
Assignee: nobody → bsterne
Updated•13 years ago
|
Component: Security → DOM: Core & HTML
QA Contact: toolkit → general
Comment 3•13 years ago
|
||
Brandon - do you know why this was dropped from the CSP spec?
Comment 4•13 years ago
|
||
This requirement was taken out of the spec in Nov 2011
https://dvcs.w3.org/hg/content-security-policy/rev/76f67cf1e5ad
Hopefully we can get something like it back in because the current behavior is potentially dangerous (e.g. bug 722547).
Comment 5•7 years ago
|
||
I'm WONTFIXING this. You can get stricter MIME type checking by using X-Content-Type-Options. If you want that to be CSP controlled I recommend filing a specification issue first.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•