Closed Bug 875706 Opened 11 years ago Closed 11 years ago

Flip the pref to enable the Content Security Policy (CSP) 1.0 parser for SeaMonkey.

Categories

(SeaMonkey :: Preferences, defect)

defect
Not set
normal

Tracking

(seamonkey2.20 fixed, seamonkey2.21 fixed)

RESOLVED FIXED
seamonkey2.21
Tracking Status
seamonkey2.20 --- fixed
seamonkey2.21 --- fixed

People

(Reporter: philip.chee, Assigned: philip.chee)

Details

Attachments

(1 file)

References:
  FX Bug 842657 Flip the pref to enable the CSP 1.0 parser for Firefox.
  FXOS Bug 858787 Flip the pref to turn on the CSP 1.0 parser for Firefox OS

http://en.wikipedia.org/wiki/Content_Security_Policy

https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465#Background

> Content Security Policy is intended to help web designers or server 
> administrators specify how content interacts on their web sites. It helps 
> mitigate and detect types of attacks such as XSS and data injection. CSP is not 
> intended to be a main line of defense, but rather one of the many layers of 
> security that can be employed to help secure a web site.
Attachment #753708 - Flags: review?(iann_bugzilla)
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

>+++ b/suite/browser/browser-prefs.js
>@@ -789,16 +789,18 @@ pref("breakpad.reportURL", "http://crash
> // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror)
> pref("security.alternate_certificate_error_page", "certerror");
> pref("security.warn_entering_secure", false);
> pref("security.warn_leaving_secure", false);
> pref("security.warn_submit_insecure", false);
> pref("security.warn_viewing_mixed", true);
> pref("security.warn_mixed_active_content", true);
> pref("security.warn_mixed_display_content", false);
>+// Turn on the CSP 1.0 parser for Content Security Policy headers
>+pref("security.csp.speccompliant", true);
> // Block insecure active content on https pages
> pref("security.mixed_content.block_active_content", true);
My preference would be to have the new pref here rather than where you have it.
r=me with that fixed.
Attachment #753708 - Flags: review?(iann_bugzilla) → review+
Pushed http://hg.mozilla.org/comm-central/rev/1bc26fe50696

>> // Block insecure active content on https pages
>> pref("security.mixed_content.block_active_content", true);
> My preference would be to have the new pref here rather than where you have it.
Fixed on check-in.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.21
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

See Firefox Bug 842657 Comment 17 and Bug 842657 Comment 22

[Approval Request Comment]
Bug caused by (feature/regressing bug #): New feature
User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported.
Testing completed (on m-c, etc.): This landed on m-c on 2013-05-17, seemingly without problems.
Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems.
String or IDL/UUID changes made by this patch: None
Attachment #753708 - Flags: approval-comm-aurora?
Attachment #753708 - Flags: approval-comm-aurora? → approval-comm-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: