Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, Windows, Chrome, Mac
Pri: 3
Type: Feature



Sign in to add a comment
CSP: Experiment with 'require-sri-for'
Reported by shek...@gmail.com, Jun 10 2016 Back to list
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36

Steps to reproduce the problem:
No way for me to open issue to track CSP feature implementation, sorry for using this template.

What is the expected behavior?

What went wrong?
As described at https://github.com/w3c/webappsec-subresource-integrity/pull/32

Did this work before? N/A 

Chrome version: 51.0.2704.79  Channel: n/a
OS Version: OS X 10.11.5
Flash Version: Shockwave Flash 21.0 r0
 
Cc: jww@chromium.org
Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Status: Available
jww- Is there an appropriate component for this request? Or should it live in github?
Comment 2 by jww@chromium.org, Jun 10 2016
Cc: mkwst@chromium.org
Labels: -OS-Mac OS-All
Blink->SecurityFeature is perfect. I've CC'd Mike as well.
Project Member Comment 3 by bugdroid1@chromium.org, Jul 14 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/615df311feca979548acd4f73ce3d7ac34449e3a

commit 615df311feca979548acd4f73ce3d7ac34449e3a
Author: shekyan <shekyan@gmail.com>
Date: Thu Jul 14 19:10:31 2016

Implement the `require-sri-for` CSP directive

As defined in [1], this CSP directive allows developers to block resource
requests that do not contain integrity metadata. This includes contexts
like external scripts, workers, shared workers, service workers, external
stylesheets, preload requests, and requests originated by CSS @import.

[1]: https://w3c.github.io/webappsec-subresource-integrity/#opt-in-require-sri-for

Intent to implement: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/jyCdW1dHyYA/YefRSKs1AQAJ

BUG=618924
R=mkwst@chromium.org

Review-Url: https://codereview.chromium.org/2056183002
Cr-Commit-Position: refs/heads/master@{#405530}

[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/not-ran.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/ran.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-allowed-meta.html
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-blocked-meta.html
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-preload-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-preload-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-reportonly-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-reportonly-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-serviceworker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-sharedworker-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-sharedworker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-import-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-preload-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-preload-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-reportonly-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-reportonly-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-svg-script-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-fromblob-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-fromblob-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/sri-sharedworker.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/sri-worker.js
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/fetch/FetchRequest.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/AbstractWorker.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/AbstractWorker.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/SharedWorker.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp

Project Member Comment 4 by sheriffbot@chromium.org, Jul 17
Labels: Hotlist-Recharge-Cold
Status: Untriaged
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -jww@chromium.org franc...@mozilla.com fred...@mozilla.com ckerschb...@mozilla.com
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Labels: -Pri-2 -Hotlist-Recharge-Cold -OS-All OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
Status: Available
We should decide if we're going to ship this. CCing Mozilla folks, as they also have an implementation behind a flag.
Sign in to add a comment