Bug 1205448 - Ship subresource integrity enabled by default. r=ckerschb
authorFrancois Marier <francois@mozilla.com>
Thu, 17 Sep 2015 16:33:35 -0700
changeset 295773 5ff4c724c6b7bd64817388512fdcdaa3541c543d
parent 295772 e18e75437c6edefdf26cd447d6352378752dd04e
child 295774 d63692ee53300a39d85b75378fcc24d115777639
push id5245
push userraliiev@mozilla.com
push dateThu, 29 Oct 2015 11:30:51 +0000
treeherdermozilla-beta@dac831dc1bd0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1205448
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1205448 - Ship subresource integrity enabled by default. r=ckerschb
modules/libpref/init/all.js
testing/web-platform/meta/subresource-integrity/subresource-integrity.html.ini
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1960,17 +1960,17 @@ pref("security.csp.experimentalEnabled",
 // Default Content Security Policy to apply to privileged apps.
 pref("security.apps.privileged.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
 
 // Mixed content blocking
 pref("security.mixed_content.block_active_content", false);
 pref("security.mixed_content.block_display_content", false);
 
 // Sub-resource integrity
-pref("security.sri.enable", false);
+pref("security.sri.enable", true);
 
 // Disable pinning checks by default.
 pref("security.cert_pinning.enforcement_level", 0);
 // Do not process hpkp headers rooted by not built in roots by default.
 // This is to prevent accidental pinning from MITM devices and is used
 // for tests.
 pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
 
--- a/testing/web-platform/meta/subresource-integrity/subresource-integrity.html.ini
+++ b/testing/web-platform/meta/subresource-integrity/subresource-integrity.html.ini
@@ -1,86 +1,16 @@
 [subresource-integrity.html]
   type: testharness
-  [Doesn't load scripts with improper integrity URI scheme]
-    expected: FAIL
-
-  [Doesn't load scripts with incorrect content-type]
-    expected: FAIL
-
-  [Doesn't load scripts with non-matching digest]
-    expected: FAIL
-
-  [Doesn't load scripts using weak digest algorithm]
-    expected: FAIL
-
-  [Same-origin script with incorrect hash.]
-    expected: FAIL
-
-  [SHA-512 preferred to SHA-256.]
-    expected: FAIL
-
-  [SHA-512 preferred to SHA-384.]
-    expected: FAIL
-
-  [SHA-384 preferred to SHA-256.]
-    expected: FAIL
-
-  [SHA-256 preferred to MD5.]
-    expected: FAIL
-
-  [getPrioritizedHashFunction('SHA-256', 'SHA-256') returns empty string]
-    expected: FAIL
-
-  [Same-origin script with sha256 match, sha512 mismatch]
-    expected: FAIL
-
-  [<crossorigin='anonymous'> with incorrect hash, ACAO: *]
-    expected: FAIL
-
-  [<crossorigin='use-credentials'> with incorrect hash CORS-eligible]
-    expected: FAIL
-
-  [Resource with Refresh header]
-    expected: FAIL
-
-  [Resource with WWW-Authenticate header]
-    expected: FAIL
-
-  [Script: Same-origin with incorrect hash.]
-    expected: FAIL
-
-  [Script: Same-origin with sha256 match, sha512 mismatch]
-    expected: FAIL
-
-  [Script: <crossorigin='anonymous'> with incorrect hash, ACAO: *]
-    expected: FAIL
-
-  [Script: <crossorigin='use-credentials'> with incorrect hash CORS-eligible]
-    expected: FAIL
-
   [Style: Same-origin with incorrect hash.]
     expected: FAIL
 
   [Style: Same-origin with sha256 match, sha512 mismatch]
     expected: FAIL
 
   [Style: <crossorigin='anonymous'> with incorrect hash, ACAO: *]
     expected: FAIL
 
   [Style: <crossorigin='use-credentials'> with incorrect hash CORS-eligible]
     expected: FAIL
 
   [Style: Same-origin with incorrect sha256 and sha512 hash, rel='alternate stylesheet' enabled]
     expected: FAIL
-
-  [Script: Cross-origin, not CORS request, with correct hash]
-    expected: FAIL
-
-  [Script: Cross-origin, not CORS request, with hash mismatch]
-    expected: FAIL
-
-  [Style: Cross-origin, not CORS request, with correct hash]
-    expected: FAIL
-
-  [Style: Cross-origin, not CORS request, with hash mismatch]
-    expected: FAIL
-