As a small follow up: We now uplifted this feature into Firefox 109 (Beta currently).
On Fri, Dec 16, 2022 at 4:08 PM Tom Schuster <[email protected]> wrote: > > In Firefox 110 (and potentially earlier*) we plan to ship the > 'unsafe-hashes' keyword for Content-Security-Policies. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1343950 > Specification: https://w3c.github.io/webappsec-csp/ > Standards Body: W3C > Position Discussion: Part of > https://github.com/mozilla/standards-positions/issues/666 > Platform Coverage: All > Preference: security.csp.unsafe-hashes.enabled > Other browsers: Chrome 69 and Safari 15.4 [1] > web-platform-tests: > https://wpt.fyi/results/content-security-policy/unsafe-hashes > > The 'unsafe-hashes' keyword allows websites to use hashes in their CSP > to allow list event handlers and style attributes. > > We landed disabled support for unsafe-hashes in Firefox 108 with > https://bugzilla.mozilla.org/show_bug.cgi?id=1797070, which also > included a fix for a security bug. The security bug basically meant > that Firefox behaved like every policy included 'unsafe-hashes'. There > is at least one website that breaks with the security bug fixed and > without support for unsafe-hashes: > https://bugzilla.mozilla.org/show_bug.cgi?id=1805948 > > * Because of the observed breakage we might decide to uplift this > feature into earlier versions of Firefox. > > Tom > > [1] https://caniuse.com/?search=unsafe-hashes -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CA%2BCWiYiPe3S_UPgoY6zO5SPTCHnjuq3sD3T2PkGeyn5j2e7GZw%40mail.gmail.com.
