Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to ship: CSP Violation DOM Events
102 views
Skip to first unread message
Chung-Sheng Fu
Nov 17, 2017, 12:55:15 AM11/17/17
to dev-pl...@lists.mozilla.org
Content Security Policy suggests Security Policy Violation DOM Events [1].
In case any of the directives within a policy are violated, such a
SecurityPolicyViolationEvent is generated and sent out to a reporting
endpoint associated with the policy. We are working on implementing those
violation events here [2] and plan to ship them within Firefox 59.
Thanks,
Chung-Sheng Fu, Christoph Kerschbaumer
[1] https://w3c.github.io/webappsec-csp/#violation-events
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1037335
In case any of the directives within a policy are violated, such a
SecurityPolicyViolationEvent is generated and sent out to a reporting
endpoint associated with the policy. We are working on implementing those
violation events here [2] and plan to ship them within Firefox 59.
Thanks,
Chung-Sheng Fu, Christoph Kerschbaumer
[1] https://w3c.github.io/webappsec-csp/#violation-events
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1037335
James Graham
Nov 17, 2017, 5:02:29 AM11/17/17
to dev-pl...@lists.mozilla.org
On 17/11/17 05:55, Chung-Sheng Fu wrote:
> Content Security Policy suggests Security Policy Violation DOM Events [1].
> In case any of the directives within a policy are violated, such a
> SecurityPolicyViolationEvent is generated and sent out to a reporting
> endpoint associated with the policy. We are working on implementing those
> violation events here [2] and plan to ship them within Firefox 59.
Do we have cross-browser (i.e. web-platform) tests covering this feature?
> Content Security Policy suggests Security Policy Violation DOM Events [1].
> In case any of the directives within a policy are violated, such a
> SecurityPolicyViolationEvent is generated and sent out to a reporting
> endpoint associated with the policy. We are working on implementing those
> violation events here [2] and plan to ship them within Firefox 59.
Ethan Tseng
Nov 17, 2017, 8:46:45 AM11/17/17
to James Graham, dev-pl...@lists.mozilla.org
On Fri, Nov 17, 2017 at 6:01 PM, James Graham <ja...@hoppipolla.co.uk>
wrote:
Yes we do.
The web-platform tests are in the folder
testing/web-platform/meta/content-security-policy/.
Bug 1037335 <https://bugzilla.mozilla.org/show_bug.cgi?id=1037335> added
several tests for this feature and modified a bunch of tests to make them
fit in it.
- Ethan Tseng
wrote:
The web-platform tests are in the folder
testing/web-platform/meta/content-security-policy/.
Bug 1037335 <https://bugzilla.mozilla.org/show_bug.cgi?id=1037335> added
several tests for this feature and modified a bunch of tests to make them
fit in it.
- Ethan Tseng
Daniel Veditz
Nov 17, 2017, 11:07:07 AM11/17/17
to James Graham, dev-pl...@lists.mozilla.org
On Fri, Nov 17, 2017 at 2:01 AM, James Graham <ja...@hoppipolla.co.uk>
wrote:
> Do we have cross-browser (i.e. web-platform) tests covering this feature?
We fail many of the existing CSP web platform tests, despite having
implemented most of the features, because they were written to use the
violation events to check the results.
wrote:
> Do we have cross-browser (i.e. web-platform) tests covering this feature?
implemented most of the features, because they were written to use the
violation events to check the results.
smaug
Nov 17, 2017, 12:13:52 PM11/17/17
to Chung-Sheng Fu
update our implementation.
James Graham
Nov 17, 2017, 12:26:26 PM11/17/17
to Daniel Veditz, dev-pl...@lists.mozilla.org
the tests? In either case it seems problematic to have such a feature
and no way of checking for compatibility with other implementations.
amarc...@mozilla.com
Jul 19, 2018, 5:26:23 AM7/19/18
to
I'm going to enable CSP Violation Events by default in Firefox 63. Bug 1432523.
I and ckerschb have done a good job to make our code compliant with the latest CSP3 spec and we pass (almost) all the related WPT tests.
The only remaining bit is related to <iframe src="javascript:foo"/> (bug 1473630) but we decided to work on it as follow up.
I and ckerschb have done a good job to make our code compliant with the latest CSP3 spec and we pass (almost) all the related WPT tests.
The only remaining bit is related to <iframe src="javascript:foo"/> (bug 1473630) but we decided to work on it as follow up.
0 new messages