Spec: https://html.spec.whatwg.org/multipage/#coep:coep-credentialless
Credentialless is a new cross-origin embedder policy which allows us
to not enforcing CORP when loading cross-origin resources while
providing SharedArrayBuffer.
There are two main things involved here:
1. Fetching cross-origin no-CORS resources omits credentials
- This is done by applying `LOAD_ANONYMOUS` flag to the request
2. Other requests sent with credentials require the server's explicit
permission through the CORS protocol or the CORS header
- This is done by expanding `ProcessCrossOriginResourcePolicyHeader`
function to apply the necessary checks.
Differential Revision: https://phabricator.services.mozilla.com/D147802
Spec: https://html.spec.whatwg.org/multipage/#coep:coep-credentialless
Credentialless is a new cross-origin embedder policy which allows us
to not enforcing CORP when loading cross-origin resources while
providing SharedArrayBuffer.
There are two main things involved here:
1. Fetching cross-origin no-CORS resources omits credentials
- This is done by applying `LOAD_ANONYMOUS` flag to the request
2. Other requests sent with credentials require the server's explicit
permission through the CORS protocol or the CORS header
- This is done by expanding `ProcessCrossOriginResourcePolicyHeader`
function to apply the necessary checks.
Differential Revision: https://phabricator.services.mozilla.com/D147802
Spec: https://html.spec.whatwg.org/multipage/#coep:coep-credentialless
Credentialless is a new cross-origin embedder policy which allows us
to not enforcing CORP when loading cross-origin resources while
providing SharedArrayBuffer.
There are two main things involved here:
1. Fetching cross-origin no-CORS resources omits credentials
- This is done by applying `LOAD_ANONYMOUS` flag to the request
2. Other requests sent with credentials require the server's explicit
permission through the CORS protocol or the CORS header
- This is done by expanding `ProcessCrossOriginResourcePolicyHeader`
function to apply the necessary checks.
Differential Revision: https://phabricator.services.mozilla.com/D147802
Given the Fetch spec, the TAO check algorithm has been updated to
be more restricted. This patch updates the algorithm to match the
spec.
Differential Revision: https://phabricator.services.mozilla.com/D146737
This is a bit of a refactor.
We'll keep the spagetthi code for existing checks, to be able
to easily iterate and pref-flip if things fail later in the cycle.
This also resolves bug 1638770 and removes the "disallow all"
-pref that proved not be a useful approach anyway.
Differential Revision: https://phabricator.services.mozilla.com/D145411
This copies over the behavior for style & subdocument restrictions.
Admittedly, with this if/else spagetthi, it would be preferable to
turn this into restriction levels or lump some of the known-to-be-safe
prefs together, but I would prefer we wait a couple of cycles to
make sure this makes it all the way to release before we refactor.
Differential Revision: https://phabricator.services.mozilla.com/D145306
This commit changes the MOZ_LOG to make the yaml easier to parse,
addressing various shortcomings:
- Firstly, the yaml "document" for a check was an array of dictionaries
that each contained a single key/value pair. It's now a big dictionary
containing lots of key/value pairs instead.
- Indentation was wrong for some of the attributes of the content
security check
- The name key-name for https-only flags was oddly cased
This changeset resolves all of these shortcomings.
Differential Revision: https://phabricator.services.mozilla.com/D128463
We add the new content policy here, but leave the behavior as TYPE_OTHER, so
we can verify that the new test fails before the fix is applied.
Differential Revision: https://phabricator.services.mozilla.com/D124965
As for document.fonts, I don't think we intentionally meant to apply
CSP to User/UserAgent fonts. The document certainly has no authority
to block those from loading. (We already have a separate principal
for these which is further evidence that this was unintentional
and we can use the same bit (mUseOriginPrincipal) to avoid CSP.)
Differential Revision: https://phabricator.services.mozilla.com/D111695
