New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 618924 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
fred...@mozilla.com
franc...@mozilla.com
ckerschb...@mozilla.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

CSP: Experiment with 'require-sri-for'

Reported by shek...@gmail.com, Jun 10 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36

Steps to reproduce the problem:
No way for me to open issue to track CSP feature implementation, sorry for using this template.

What is the expected behavior?

What went wrong?
As described at https://github.com/w3c/webappsec-subresource-integrity/pull/32

Did this work before? N/A 

Chrome version: 51.0.2704.79  Channel: n/a
OS Version: OS X 10.11.5
Flash Version: Shockwave Flash 21.0 r0

Comment 1 by nparker@chromium.org, Jun 10 2016

Cc: jww@chromium.org
Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Status: Available (was: Unconfirmed)
jww- Is there an appropriate component for this request? Or should it live in github?

Comment 2 by jww@chromium.org, Jun 10 2016

Cc: mkwst@chromium.org
Labels: -OS-Mac OS-All
Blink->SecurityFeature is perfect. I've CC'd Mike as well.
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/615df311feca979548acd4f73ce3d7ac34449e3a

commit 615df311feca979548acd4f73ce3d7ac34449e3a
Author: shekyan <shekyan@gmail.com>
Date: Thu Jul 14 19:10:31 2016

Implement the `require-sri-for` CSP directive

As defined in [1], this CSP directive allows developers to block resource
requests that do not contain integrity metadata. This includes contexts
like external scripts, workers, shared workers, service workers, external
stylesheets, preload requests, and requests originated by CSS @import.

[1]: https://w3c.github.io/webappsec-subresource-integrity/#opt-in-require-sri-for

Intent to implement: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/jyCdW1dHyYA/YefRSKs1AQAJ

BUG=618924
R=mkwst@chromium.org

Review-Url: https://codereview.chromium.org/2056183002
Cr-Commit-Position: refs/heads/master@{#405530}

[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/not-ran.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/ran.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-allowed-meta.html
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-blocked-meta.html
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-preload-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-preload-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-reportonly-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-script-reportonly-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-serviceworker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-sharedworker-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-sharedworker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-import-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-preload-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-preload-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-reportonly-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-style-reportonly-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-svg-script-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-fromblob-allowed.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/require-sri-for-worker-fromblob-blocked.php
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/sri-sharedworker.js
[add] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/require-sri-for/sri-worker.js
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/fetch/FetchRequest.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/AbstractWorker.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/AbstractWorker.h
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/core/workers/SharedWorker.cpp
[modify] https://crrev.com/615df311feca979548acd4f73ce3d7ac34449e3a/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 17 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mkwst@chromium.org, Aug 1 2017

Cc: -jww@chromium.org franc...@mozilla.com fred...@mozilla.com ckerschb...@mozilla.com
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Labels: -Pri-2 -Hotlist-Recharge-Cold -OS-All OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
Status: Available (was: Untriaged)
We should decide if we're going to ship this. CCing Mozilla folks, as they also have an implementation behind a flag.

Comment 6 by mkwst@chromium.org, Oct 9 2017

Components: -Blink>SecurityFeature>ContentSecurityPolicy Blink>SecurityFeature

Comment 7 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 8 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment