1288896 - Content Security Policy: Make deprecation warning for 'frame-src' smarter

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[Steffen Weber]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Steps to reproduce:

Visit a site whose Content Security Policy uses the "child-src" directive and its deprecated pendant "frame-src" (both have identical values).


Actual results:

Firefox logs a warning in the Developer Tools: "Content Security Policy: Directive 'frame-src' has been deprecated. Please use directive 'child-src' instead."


Expected results:

IMHO, no warning should be logged if a "child-src" directive exists that has the same value as the "frame-src" directive. In practise, both directives have to be used because "child-src" is only supported by Chrome 40+ and Firefox 45+. All other browsers do not yet understand "child-src" and require "frame-src". In practise it is not possible to only use "child-src" and it probably won't be for a few years.

I therefore suggest to not display this warning if a) both directives exist and b) both directives have the same value. The warning should still be displayed if "child-src" does not exist or if "child-src" has a different value than "frame-src".

Comment 1

[Steffen Weber]

Example URL: https://www.computerbase.de/login/

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

Steffen, thanks for reporting; makes total sense to me; putting this in the backlog.

Comment 4

[Steffen Weber]

Content Security Policy Level 3 has un-deprecated the frame-src directive, see: https://w3c.github.io/webappsec-csp/#changes-from-level-2

So I guess this warning should just be removed.

Comment 5

[Jobst Schmalenbach]

Following up from above comment and just doing research on it it should indeed be removed, see 
http://stackoverflow.com/questions/30023608/how-to-use-frame-src-and-child-src-in-firefox-and-other-browsers as well.

Comment 6

[Greg G]

Attachment: Remove CSP frame-src console deprecation warning

Comment 7

[Greg G]

Comment on attachment 8910547 [details] [diff] [review]
Remove CSP frame-src console deprecation warning

Review of attachment 8910547 [details] [diff] [review]:
-----------------------------------------------------------------

frame-src is undeprecated in CSPv3 so I think we can just remove this warning.

Ran the devtools/client/webconsole/test and dom/security/test/csp mochitests and loading a page with: <meta http-equiv="Content-Security-Policy" content= "child-src 'none'; frame-src 'none'"> doesn't log the deprecation warning.

Comment 8

[Christoph Kerschbaumer [:ckerschb]]

Greg, thanks for putting this patch together. In fact there is more to it in CSP3: child-src is now deprecated and one should use frame-src as well as worker-src instead. I just assigned Bug 1302667 to myself and would like to get that shipped for FF58. Within Bug 1302667 I also do the correct fallback handling for child-src in case frame-src and/or worker-src is not set.

I marked Bug 1302667 blocking this one to get everything fixed correctly instead of just removing the deprecation warning - sounds good?

Comment 9

[Christoph Kerschbaumer [:ckerschb]]

Comment on attachment 8910547 [details] [diff] [review]
Remove CSP frame-src console deprecation warning

Review of attachment 8910547 [details] [diff] [review]:
-----------------------------------------------------------------

See previous comment.

Comment 10

[Greg G]

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #8)
> 
> I marked Bug 1302667 blocking this one to get everything fixed correctly
> instead of just removing the deprecation warning - sounds good?

Yeah, that's great! Thanks.

Comment 11

[Daniel Veditz [:dveditz]]

This was fixed as part of bug 1302667