In Firefox 110 (and potentially earlier*) we plan to ship the 'unsafe-hashes' keyword for Content-Security-Policies.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1343950 Specification: https://w3c.github.io/webappsec-csp/ Standards Body: W3C Position Discussion: Part of https://github.com/mozilla/standards-positions/issues/666 Platform Coverage: All Preference: security.csp.unsafe-hashes.enabled Other browsers: Chrome 69 and Safari 15.4 [1] web-platform-tests: https://wpt.fyi/results/content-security-policy/unsafe-hashes The 'unsafe-hashes' keyword allows websites to use hashes in their CSP to allow list event handlers and style attributes. We landed disabled support for unsafe-hashes in Firefox 108 with https://bugzilla.mozilla.org/show_bug.cgi?id=1797070, which also included a fix for a security bug. The security bug basically meant that Firefox behaved like every policy included 'unsafe-hashes'. There is at least one website that breaks with the security bug fixed and without support for unsafe-hashes: https://bugzilla.mozilla.org/show_bug.cgi?id=1805948 * Because of the observed breakage we might decide to uplift this feature into earlier versions of Firefox. Tom [1] https://caniuse.com/?search=unsafe-hashes -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CA%2BCWiYh_opfB-Nt1VgBiTJTpq6Xhv1cM0_cguC-RX%2BNqHy-1CA%40mail.gmail.com.
