[Webkit-unassigned] [Bug 184031] New: CSP: Implement 'strict-dynamic' source expression

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 26 20:57:53 PDT 2018


            Bug ID: 184031
           Summary: CSP: Implement 'strict-dynamic' source expression
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
               URL: See
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mike at w3.org

See https://w3c.github.io/webappsec-csp/#strict-dynamic-usage

The CSP 'strict-dynamic' source expression is a way for CSP policies to (1) specify that if a CSP-trusted script loads other scripts, the UA must propagate its trustedness to any other scripts it loads, while also (2) specifying that the UA must ignore any host-source and scheme-source expressions which might also be provided in the policy — as well as ignoring the "'unsafe-inline'" and "'self' keyword-sources if they are provided in the policy.

Gecko and Blink/Chrome already have 'strict-dynamic' support (not sure if Edge does or not yet).

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180327/86418e96/attachment.html>

More information about the webkit-unassigned mailing list