Closed Bug 1302449 Opened 8 years ago Closed 6 years ago

deprecating the "referrer" directive in CSP

Categories

(Core :: DOM: Security, defect, P3)

51 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox62 --- fixed

People

(Reporter: kjozwiak, Assigned: baku)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

The W3C has recently added tests [1] under the Web Platform Test Runner that checks and ensures that browsers are not using the CSP "referrer" directive to set a Referrer Policy which has been replaced by the Referrer-Policy header [2].

Chris, would removing the CSP "referrer" directive cause any compatibility issues? Is the directive still widely used in the web?

[1] https://w3c-test.org/referrer-policy/generic/unsupported-csp-referrer-directive.html
[2] https://github.com/w3c/web-platform-tests/pull/3416
Flags: needinfo?(ckerschb)
Hey Kamil, I suppose the least we can do is a log a warning to the console that it's deprecated and also get some telemetry data (somewhere around here [1]). If not too many pages rely on it, I am fine with removing the code from CSP. But I suppose we should wait at least 2 cycles to give folks a chance to switch and use the Referrer-Policy header. Agreed?

[1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.cpp#867
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1)
> Hey Kamil, I suppose the least we can do is a log a warning to the console
> that it's deprecated and also get some telemetry data (somewhere around here
> [1]). If not too many pages rely on it, I am fine with removing the code
> from CSP. But I suppose we should wait at least 2 cycles to give folks a
> chance to switch and use the Referrer-Policy header. Agreed?
> 
> [1]
> https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.
> cpp#867

Completely agreed :)
Keywords: site-compat
Blocks: 1409600
I'm not sure this is enough. ... and I still have to see how many WPTs are broken by this patch.
Assignee: nobody → amarchesini
Attachment #8973696 - Flags: review?(ckerschb)
Comment on attachment 8973696 [details] [diff] [review]
csp_referrer.patch

Review of attachment 8973696 [details] [diff] [review]:
-----------------------------------------------------------------

that looks good to me, thanks and r=me!
Attachment #8973696 - Flags: review?(ckerschb) → review+
Blocks: 1455236
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eeaae6812d82
Remove the "referrer" directive in CSP, r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/eeaae6812d82
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: