-
Notifications
You must be signed in to change notification settings - Fork 513
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pref breakage: security.csp.experimentalEnabled #223
Comments
I think that pref enables processing of the require-sri-for directive. https://dxr.mozilla.org/mozilla-release/source/dom/security/nsCSPParser.cpp#1058
At securityheaders.io, I see require-sri-for in the content-security-policy-report-only header but not the Content-Security-Policy header. |
Thank you @Theemim |
Nice find @crssi ! There seem to be 2 problems here, 1st what seems to be a bug in FF because the
Someone should test this with the latest nightly and if the bug is not already fixed there, open a new bug @ bugzilla. Any volunteers? xD As to whether "is it safe to reset this pref to default (false)?", I personally never set it to true in the 1st place because I assumed that it's probably not ready given that it still defaults to false.
@ScottHelme can you check whether the hashes are indeed wrong, please? The only problem is we need a new test-site for the bug-report if the hashes are wrong and Scott fixes it :( |
Securityheaders page source, line 29, is the same found by quering here for |
@crssi It lacks Content-Security-Policy headers. |
Thank you all. :) @earthlng should this be disabled or forced to false/default in ghacksuser.js? |
shortly thereafter, still mid March 2017: #10 (comment) ...
|
Go it... lets see then what @Thorin-Oakenpants will say, ;) |
@Atavic thanks for that link. So if the hashes are correct then it seems that FF expects hashes for all non-inline scripts and styles. Regardless of that, the directive in a CSP report-only header should not deny loading those files. edit: as François said:
|
Although, reading it again, the error message clearly says "... the “sha512” hashes in the integrity attribute ..." and none of the 1st-party styles + scripts loading tags on Scott's site have an integrity attribute. |
That feature isn't finished yet, which is why it's not enabled by default. |
https://w3c.github.io/webappsec-subresource-integrity/
I guess we can consider mozilla informed about this issue now :) |
No it's fine. When it works it's a nice security feature and when it doesn't it shows in the console. And since probably not many sites use it anyway it shouldn't cause a lot of breakage. And it has 'experimental' right in the name so people should expect some kind of breakage. |
It seems definitely dead to me. |
Just FYI.
What implications has setting this pref to false instead to true?
Cheers
The text was updated successfully, but these errors were encountered: