Update http/headers/content-security-policy.json

[bershanskiy]

Summary

Update CSP compatibility data: add a few headers that were added to the spec,

Details

disown-opener

Mark disown-opener as trandards_track: false because it was removed from CSP 3 draft.

script-src-attr, script-src-elem, style-src-attr, style-src-elem

Chrome status
For other browsers see notes in the PR.

trusted-types

• Chrome 73-76: origin trials with a flag, Chrome status
• Chrome 77: I do not know result of origin trials and I can't find launch date, leaving null for now

A checklist to help your pull request get merged faster:

• Summarize your changes
• Data: link to resources that verify support information (such as browser's docs, changelogs, source control, bug trackers, and tests)
• Data: if you tested something, describe how you tested with details like browser and version
• Review the results of the linter and fix problems reported (If you need help, please ask in a comment!)
• Link to related issues or pull requests, if any

[bershanskiy]

The linter error is strange and I don't have time to debug it today, so I'll come back to this PR later. I think some JSON gets passed to Chalk and is interpreted by it as Chalk syntax.

Problems in 1 file:
✖ http/headers/content-security-policy.json
Error: Found extraneous } in Chalk template literal
    at /home/travis/build/mdn/browser-compat-data/node_modules/chalk/templates.js:109:11
    at String.replace (<anonymous>)
    at module.exports (/home/travis/build/mdn/browser-compat-data/node_modules/chalk/templates.js:99:6)
    at chalkTag (/home/travis/build/mdn/browser-compat-data/node_modules/chalk/index.js:221:9)
    at Chalk.chalk.template (/home/travis/build/mdn/browser-compat-data/node_modules/chalk/index.js:36:20)
    at processData (/home/travis/build/mdn/browser-compat-data/test/test-style.js:217:23)
    at testStyle (/home/travis/build/mdn/browser-compat-data/test/test-style.js:267:3)
    at Object.<anonymous> (/home/travis/build/mdn/browser-compat-data/test/lint.js:150:9)
    at Module._compile (internal/modules/cjs/loader.js:777:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:788:10)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] lint: `node test/lint`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] lint script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/travis/.npm/_logs/2019-07-23T22_37_11_444Z-debug.log
npm ERR! Test failed.  See above for more details.
The command "npm test" exited with 1.

[queengooborg]

Found the source of that Chalk error -- sorry, it's nothing wrong with your PR. I'm sending in a patch right away to fix this!

[bershanskiy]

Found the source of that Chalk error

That was quick!

nothing wrong with your PR

Actually, there was :) I needed to use a short URL for webkit.org (that's what triggered the linter bug in the first place). I fixed that now, would you take a look?

[bershanskiy]

Also, about disown-opener: in this PR I just marked it as "standard_track": false, but we should consider removing it entirely.

• as I mentioned, it was introduced and then removed from the CSP3 spec, so currently it is not documented anywhere
• BCD states it is not supported anywhere (I'll look into this more and comment here if I find anything)
• currently, there is no interest in implementing or standardizing disown-opener, people seem to prefer other solutions to opener problem:
  • Proposal to make target="_blank" on anchors to imply rel="noopener": Windows opened via <a target=_blank> should not have an opener by default whatwg/html#4078

    • also see issues/PRs linked in the discussion (there is a lot)

    • Safari technical preview 68 (Oct 2018):

      Changed target="_blank" on anchors to imply rel="noopener"

    • Safari 12.1 release notes:

      Updated the link behavior for "target=_blank" to include rel="noopener" implicitly.

    • Chrome is interested in following Safari: Experiment: Anchor target=_blank implies rel=noopener

    • Firefox Nightly seems to remove opener by default (tested with this)

  • Safari had a different header that would remove opener when window is created with JS, but I don't remember its name.
  • There is a discussion about changing how window.open works to remove window.opener by default and make it opt-in, I need to find the link.

The list of links is incomplete, there is a lot of discussion about removing opener by default. I'll add more links if I find anything especially interesting.

[Elchi3]

Also, about disown-opener: in this PR I just marked it as "standard_track": false, but we should consider removing it entirely.

Yes. If it never shipped anywhere and is going to be removed from the specs, then we can remove it here entirely.

[bershanskiy]

After some version control system and bug tracker archeology, I'm pretty sure no browser ever implemented disown-opener.

Looks like Firefox never supported disown-opener. If it did this, directive would be listed on the bugzilla or in dom/security/nsCSPUtils.h in CSPStrDirectives or in dom/interfaces/security/nsIContentSecurityPolicy.idl among nsIContentSecurityPolicy values. I looked at these files histories up untill 2014 and did not see disown-opener (the spec added it in 2016).

Safari did not support disown-opener either because it apparently never contained string disown-opener and Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp never had it either (GitHub miror).

Chromium does not mention disown-opener anywhere except for a single TODO comment. and if it was ever supported it should have been in enum DirectiveType in chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.h, but I can't find any hint of it in the history. @jpmedley Would you have some insight on this?

I do not know how to check Edge history but I could not find any hints of disown-opener in connection with it.

Should I push a commit to remove disown-opener?

[Elchi3]

Should I push a commit to remove disown-opener?

I would say yes, remove it. Thanks for your intense research on this topic! 👍

[jpmedley]

I have no insight on this.

[bershanskiy]

@Elchi3

remove it.

Done!

[Elchi3]

Thank you for these updates and for writing the docs 👍