We should flip the pref and ship Integrity-Policy for scripts (and scripts only).
Other extensions should be their own roll-outs, such that we can move with other browsers in lockstep.

Backed out for causing failures at test_console_messages.html.

Backout link: https://hg-edge.mozilla.org/integration/autoland/rev/f3c9586d001f102a0998bc023ef7dbfe75fd3e40

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=7962795f6c58a600fb9cbfb8e8945f7dc798ef77&selectedTaskRun=GCU56MmzTcGG0tgtknoOWw.0

Failure log: https://treeherder.mozilla.org/logviewer?job_id=518163511&repo=autoland&lineNumber=3384

Sorry I forgot about the other pref in this patch. we depended on that pref. I fixed it now. Thank you!

https://hg.mozilla.org/mozilla-central/rev/b55236de4df0

Release Note Request (optional, but appreciated)
[Why is this notable]: This will allow websites to ensure that all of their scripts are protected with integrity data.
[Affects Firefox for Android]: yes
[Suggested wording]: Starting with Firefox 142, Nightly builds now support the Integrity-Policy header allowing websites to ensure that all of their scripts are protected with integrity data. It is currently limited to scripts but will be expanded in the future to provide full web application integrity.
[Links (documentation, blog post, etc)]:
https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Integrity-Policy
https://groups.google.com/a/mozilla.org/g/firefox-dev/c/sNkFXkzK3OQ/m/KRQFs2jNAAAJ (cross-linking to the related newsletter may push it)

Added to the Nightly release notes.

FF142 MDN docs for this can be tracked in https://github.com/mdn/content/issues/40667

1. Do we support Integrity-Policy-Report-Only as well as Integrity-Policy ?
2. I assume we can specify the reporting endpoints?
   • I ask because these are sent in Reporting-Endpoints, which also needs to be enabled via dom.reporting.enabled

@sebastian, @ryan FWIW I would not mention "It is currently limited to scripts but will be expanded in the future to provide full web application integrity." in the release note.

This is a limitation of the specification and something that the specification may do in future. But if you put it in the release note it reads like Firefox has a partial implementation of the specification that we're still working on.

(In reply to Hamish Willee from comment #11)

@sebastian, @ryan FWIW I would not mention "It is currently limited to scripts but will be expanded in the future to provide full web application integrity." in the release note.

I just took this limitation from the intent to prototype and ship announcement. I have to admit, I didn't read the spec. before.

This is a limitation of the specification and something that the specification may do in future. But if you put it in the release note it reads like Firefox has a partial implementation of the specification that we're still working on.

I skimmed through the spec. now and it at least already mentions a destination type of style besides script. So it seems to me that it is rather an implementation limitation that is shared between browsers and not a spec. limitation.

If I am correct, I think the note should mention that all browsers are currently limited to script. And the BCD should get a new entry for style as well as https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy#blocked-destinations.

Though Fatih may clarify the details here.

Sebastian

Thanks @Sebastian. It had been a while since I read the script, and it certainly looks like you're right about this being release note-worthy.
MDN doesn't document things until they are supported in at least one browser so we wouldn't add style to the docs yet. Not sure about BCD, but I suspect they are similar in that they omit features that aren't supported in any browser, at least for HTTP features.

1. Do we support Integrity-Policy-Report-Only as well as Integrity-Policy ?

We "support" Integrity-Policy-Report-Only too, but only for console logging. Nothing is plugged to Reporting API.

2. I assume we can specify the reporting endpoints?
   • I ask because these are sent in Reporting-Endpoints, which also needs to be enabled via dom.reporting.enabled

Again, nothing is plugged to Reporting API. When I was working on the implementation, I was told Reporting API isn't complete, and we didn't have supporting it as a goal really.

If I am correct, I think the note should mention that all browsers are currently limited to script. And the BCD should get a new entry for style as well as https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy#blocked-destinations.

I think so, yes. We created bugs asking other engines to add support for stylesheets too. (chromium and webkit).

FWIW, we do support stylesheets but it is behind the pref security.integrity_policy.stylesheet.enabled

(In reply to Fatih Kilic [:fkilic] from comment #14)

FWIW, we do support stylesheets but it is behind the pref security.integrity_policy.stylesheet.enabled

Thanks for the note! I've added the dev-doc-needed flag to bug 1974247, as well.

Sebastian

Thanks very much. FYI I added added BCD subfeatures for the style and script, and added partial implementation for the fact that the reporting endpoints aren't integrated. Experimental features now mentions both.

Removed from the Nightly release notes as it's been included for more than 3 cycles now. Feel free to nominate this for a fresh release note once this feature is ready to ride the trains.