Bug #101477
Updated by Oliver Hader 10 months ago
The CSP directives 'report-to', 'require-trusted-types-for' and
'trusted-types' have been added. Albeit there aren't any typed value
counterparts yet, they can be wrapped in a RawValue object, e.g.
<pre>
new Mutation(
MutationMode::Set,
Directive::RequireTrustedTypesFor,
new RawValue("'script'")
),
</pre>
The cases for 'unsafe-hashes' and 'strict-dynamic' were accidentally
added as directives instead of source keywords and have been removed.
The source schemes 'filesystem:' and 'mediastream' have been added.
Besides that, the frontend CSP configuration now limits using the
@<base>@ element to same-origin URIs. The backend CSP configuration
is now even stricter since using @<base>@ , @<embed>@ and @<object>@
elements is blocked.