Remove remaining relicts of deprecated X-CSP header

RESOLVED FIXED in mozilla34

Status

()

Core
DOM: Security
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: ckerschb, Assigned: ckerschb)

Tracking

unspecified
mozilla34
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

3 years ago
When browsing through the code I found that we are still referencing 'x-csp-headers':
http://mxr.mozilla.org/mozilla-central/search?string=x-content-security

All of them should be gone by now!
(Assignee)

Updated

3 years ago
Depends on: 994782
(Assignee)

Comment 1

3 years ago
Created attachment 8472081 [details] [diff] [review]
bug_1053028_xcsp_artifacts.patch

Fixed it right away! Sid, any objections?
Attachment #8472081 - Flags: review?(sstamm)
Comment on attachment 8472081 [details] [diff] [review]
bug_1053028_xcsp_artifacts.patch

Review of attachment 8472081 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with a few things.

::: browser/extensions/pdfjs/content/PdfStreamConverter.jsm
@@ +906,5 @@
>        aRequest.setResponseHeader('Content-Security-Policy', '', false);
>        aRequest.setResponseHeader('Content-Security-Policy-Report-Only', '',
>                                   false);
> +      aRequest.setResponseHeader('Content-Security-Policy', '', false);
> +      aRequest.setResponseHeader('Content-Security-Policy-Report-Only', '',

Just delete these lines.  They're duplicates of the two immediately above.

::: dom/locales/en-US/chrome/security/security.properties
@@ -8,5 @@
> -# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy", "X-Content-Security-Policy-Report-Only",  "Content-Security-Policy" or "Content-Security-Policy-Report-Only"
> -OldCSPHeaderDeprecated=The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.
> -# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy/Report-Only" or "Content-Security-Policy/Report-Only"
> -BothCSPHeadersPresent=This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.
> -

Don't change the strings here; lets do them all in bug 1000945.
Attachment #8472081 - Flags: review?(sstamm) → review+
(Assignee)

Updated

3 years ago
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
(Assignee)

Comment 3

3 years ago
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2)
> ::: dom/locales/en-US/chrome/security/security.properties
> @@ -8,5 @@
> > -# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy", "X-Content-Security-Policy-Report-Only",  "Content-Security-Policy" or "Content-Security-Policy-Report-Only"
> > -OldCSPHeaderDeprecated=The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.
> > -# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy/Report-Only" or "Content-Security-Policy/Report-Only"
> > -BothCSPHeadersPresent=This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.
> > -
> 
> Don't change the strings here; lets do them all in bug 1000945.

Are you sure? The name of the file is security.properties, not csp.properties. I would rather delete those lines with the patch for this bug.
Ok, sure, why not.  Then we have less to do in 1000945.
(Assignee)

Comment 5

3 years ago
Created attachment 8476458 [details] [diff] [review]
bug_1053028_xcsp_artifacts_v2.patch

(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2)
                                  false);
> > +      aRequest.setResponseHeader('Content-Security-Policy', '', false);
> > +      aRequest.setResponseHeader('Content-Security-Policy-Report-Only', '',
> 
> Just delete these lines.  They're duplicates of the two immediately above.

Obviously :-) Deleted those two lines.
Attachment #8472081 - Attachment is obsolete: true
Attachment #8476458 - Flags: review+
(Assignee)

Comment 6

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/e0bd2eb2c3d7
Target Milestone: --- → mozilla34
https://hg.mozilla.org/mozilla-central/rev/e0bd2eb2c3d7
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.