Intent to prototype and ship: CSP unsafe-hashes keyword
72 views
Skip to first unread message
Tom Schuster
Dec 16, 2022, 10:08:34 AM12/16/22
to dev-pl...@mozilla.org
In Firefox 110 (and potentially earlier*) we plan to ship the
'unsafe-hashes' keyword for Content-Security-Policies.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1343950
Specification: https://w3c.github.io/webappsec-csp/
Standards Body: W3C
Position Discussion: Part of
https://github.com/mozilla/standards-positions/issues/666
Platform Coverage: All
Preference: security.csp.unsafe-hashes.enabled
Other browsers: Chrome 69 and Safari 15.4 [1]
web-platform-tests:
https://wpt.fyi/results/content-security-policy/unsafe-hashes
The 'unsafe-hashes' keyword allows websites to use hashes in their CSP
to allow list event handlers and style attributes.
We landed disabled support for unsafe-hashes in Firefox 108 with
https://bugzilla.mozilla.org/show_bug.cgi?id=1797070, which also
included a fix for a security bug. The security bug basically meant
that Firefox behaved like every policy included 'unsafe-hashes'. There
is at least one website that breaks with the security bug fixed and
without support for unsafe-hashes:
https://bugzilla.mozilla.org/show_bug.cgi?id=1805948
* Because of the observed breakage we might decide to uplift this
feature into earlier versions of Firefox.
Tom
[1] https://caniuse.com/?search=unsafe-hashes
'unsafe-hashes' keyword for Content-Security-Policies.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1343950
Specification: https://w3c.github.io/webappsec-csp/
Standards Body: W3C
Position Discussion: Part of
https://github.com/mozilla/standards-positions/issues/666
Platform Coverage: All
Preference: security.csp.unsafe-hashes.enabled
Other browsers: Chrome 69 and Safari 15.4 [1]
web-platform-tests:
https://wpt.fyi/results/content-security-policy/unsafe-hashes
The 'unsafe-hashes' keyword allows websites to use hashes in their CSP
to allow list event handlers and style attributes.
We landed disabled support for unsafe-hashes in Firefox 108 with
https://bugzilla.mozilla.org/show_bug.cgi?id=1797070, which also
included a fix for a security bug. The security bug basically meant
that Firefox behaved like every policy included 'unsafe-hashes'. There
is at least one website that breaks with the security bug fixed and
without support for unsafe-hashes:
https://bugzilla.mozilla.org/show_bug.cgi?id=1805948
* Because of the observed breakage we might decide to uplift this
feature into earlier versions of Firefox.
Tom
[1] https://caniuse.com/?search=unsafe-hashes
Tom Schuster
Jan 4, 2023, 4:19:44 AM1/4/23
to dev-pl...@mozilla.org
As a small follow up: We now uplifted this feature into Firefox 109
(Beta currently).
(Beta currently).
Reply all
Reply to author
Forward
0 new messages