Closed
Bug 875706
Opened 11 years ago
Closed 11 years ago
Flip the pref to enable the Content Security Policy (CSP) 1.0 parser for SeaMonkey.
Categories
(SeaMonkey :: Preferences, defect)
SeaMonkey
Preferences
Tracking
(seamonkey2.20 fixed, seamonkey2.21 fixed)
RESOLVED
FIXED
seamonkey2.21
People
(Reporter: philip.chee, Assigned: philip.chee)
Details
Attachments
(1 file)
1.34 KB,
patch
|
iannbugzilla
:
review+
iannbugzilla
:
approval-comm-aurora+
|
Details | Diff | Splinter Review |
References: FX Bug 842657 Flip the pref to enable the CSP 1.0 parser for Firefox. FXOS Bug 858787 Flip the pref to turn on the CSP 1.0 parser for Firefox OS http://en.wikipedia.org/wiki/Content_Security_Policy https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465#Background > Content Security Policy is intended to help web designers or server > administrators specify how content interacts on their web sites. It helps > mitigate and detect types of attacks such as XSS and data injection. CSP is not > intended to be a main line of defense, but rather one of the many layers of > security that can be employed to help secure a web site.
Assignee | ||
Comment 1•11 years ago
|
||
Attachment #753708 -
Flags: review?(iann_bugzilla)
Comment on attachment 753708 [details] [diff] [review] Patch v1.0 Do it. >+++ b/suite/browser/browser-prefs.js >@@ -789,16 +789,18 @@ pref("breakpad.reportURL", "http://crash > // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror) > pref("security.alternate_certificate_error_page", "certerror"); > pref("security.warn_entering_secure", false); > pref("security.warn_leaving_secure", false); > pref("security.warn_submit_insecure", false); > pref("security.warn_viewing_mixed", true); > pref("security.warn_mixed_active_content", true); > pref("security.warn_mixed_display_content", false); >+// Turn on the CSP 1.0 parser for Content Security Policy headers >+pref("security.csp.speccompliant", true); > // Block insecure active content on https pages > pref("security.mixed_content.block_active_content", true); My preference would be to have the new pref here rather than where you have it. r=me with that fixed.
Attachment #753708 -
Flags: review?(iann_bugzilla) → review+
Assignee | ||
Comment 3•11 years ago
|
||
Pushed http://hg.mozilla.org/comm-central/rev/1bc26fe50696 >> // Block insecure active content on https pages >> pref("security.mixed_content.block_active_content", true); > My preference would be to have the new pref here rather than where you have it. Fixed on check-in.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.21
Assignee | ||
Comment 4•11 years ago
|
||
Comment on attachment 753708 [details] [diff] [review] Patch v1.0 Do it. See Firefox Bug 842657 Comment 17 and Bug 842657 Comment 22 [Approval Request Comment] Bug caused by (feature/regressing bug #): New feature User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported. Testing completed (on m-c, etc.): This landed on m-c on 2013-05-17, seemingly without problems. Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems. String or IDL/UUID changes made by this patch: None
Attachment #753708 -
Flags: approval-comm-aurora?
Assignee | ||
Updated•11 years ago
|
status-seamonkey2.20:
--- → affected
status-seamonkey2.21:
--- → fixed
Attachment #753708 -
Flags: approval-comm-aurora? → approval-comm-aurora+
Assignee | ||
Comment 5•11 years ago
|
||
Pushed to comm-aurora: http://hg.mozilla.org/releases/comm-aurora/rev/22eb4f29fa78
You need to log in
before you can comment on or make changes to this bug.
Description
•