Content Security Policy: Make deprecation warning for 'frame-src' smarter

RESOLVED FIXED

Status

()

Core
DOM: Security
P3
normal
RESOLVED FIXED
2 years ago
4 months ago

People

(Reporter: Steffen Weber, Assigned: g)

Tracking

(Blocks: 1 bug)

44 Branch
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog3])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Steps to reproduce:

Visit a site whose Content Security Policy uses the "child-src" directive and its deprecated pendant "frame-src" (both have identical values).


Actual results:

Firefox logs a warning in the Developer Tools: "Content Security Policy: Directive 'frame-src' has been deprecated. Please use directive 'child-src' instead."


Expected results:

IMHO, no warning should be logged if a "child-src" directive exists that has the same value as the "frame-src" directive. In practise, both directives have to be used because "child-src" is only supported by Chrome 40+ and Firefox 45+. All other browsers do not yet understand "child-src" and require "frame-src". In practise it is not possible to only use "child-src" and it probably won't be for a few years.

I therefore suggest to not display this warning if a) both directives exist and b) both directives have the same value. The warning should still be displayed if "child-src" does not exist or if "child-src" has a different value than "frame-src".
(Reporter)

Comment 1

2 years ago
Example URL: https://www.computerbase.de/login/

Updated

2 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core
Steffen, thanks for reporting; makes total sense to me; putting this in the backlog.
Blocks: 1242016
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]

Updated

2 years ago
Duplicate of this bug: 1297078
(Reporter)

Comment 4

a year ago
Content Security Policy Level 3 has un-deprecated the frame-src directive, see: https://w3c.github.io/webappsec-csp/#changes-from-level-2

So I guess this warning should just be removed.

Comment 5

9 months ago
Following up from above comment and just doing research on it it should indeed be removed, see 
http://stackoverflow.com/questions/30023608/how-to-use-frame-src-and-child-src-in-firefox-and-other-browsers as well.
(Assignee)

Comment 6

5 months ago
Created attachment 8910547 [details] [diff] [review]
Remove CSP frame-src console deprecation warning
(Assignee)

Updated

5 months ago
Assignee: nobody → gguthe
Status: NEW → ASSIGNED
(Assignee)

Comment 7

5 months ago
Comment on attachment 8910547 [details] [diff] [review]
Remove CSP frame-src console deprecation warning

Review of attachment 8910547 [details] [diff] [review]:
-----------------------------------------------------------------

frame-src is undeprecated in CSPv3 so I think we can just remove this warning.

Ran the devtools/client/webconsole/test and dom/security/test/csp mochitests and loading a page with: <meta http-equiv="Content-Security-Policy" content= "child-src 'none'; frame-src 'none'"> doesn't log the deprecation warning.
Attachment #8910547 - Flags: review?(ckerschb)
Greg, thanks for putting this patch together. In fact there is more to it in CSP3: child-src is now deprecated and one should use frame-src as well as worker-src instead. I just assigned Bug 1302667 to myself and would like to get that shipped for FF58. Within Bug 1302667 I also do the correct fallback handling for child-src in case frame-src and/or worker-src is not set.

I marked Bug 1302667 blocking this one to get everything fixed correctly instead of just removing the deprecation warning - sounds good?
Depends on: 1302667
Comment on attachment 8910547 [details] [diff] [review]
Remove CSP frame-src console deprecation warning

Review of attachment 8910547 [details] [diff] [review]:
-----------------------------------------------------------------

See previous comment.
Attachment #8910547 - Flags: review?(ckerschb)
(Assignee)

Comment 10

5 months ago
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #8)
> 
> I marked Bug 1302667 blocking this one to get everything fixed correctly
> instead of just removing the deprecation warning - sounds good?

Yeah, that's great! Thanks.
This was fixed as part of bug 1302667
Status: ASSIGNED → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.