Closed
Bug 1302449
Opened 8 years ago
Closed 6 years ago
deprecating the "referrer" directive in CSP
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: kjozwiak, Assigned: baku)
References
(Blocks 2 open bugs)
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
39.78 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
The W3C has recently added tests [1] under the Web Platform Test Runner that checks and ensures that browsers are not using the CSP "referrer" directive to set a Referrer Policy which has been replaced by the Referrer-Policy header [2]. Chris, would removing the CSP "referrer" directive cause any compatibility issues? Is the directive still widely used in the web? [1] https://w3c-test.org/referrer-policy/generic/unsupported-csp-referrer-directive.html [2] https://github.com/w3c/web-platform-tests/pull/3416
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(ckerschb)
Comment 1•8 years ago
|
||
Hey Kamil, I suppose the least we can do is a log a warning to the console that it's deprecated and also get some telemetry data (somewhere around here [1]). If not too many pages rely on it, I am fine with removing the code from CSP. But I suppose we should wait at least 2 cycles to give folks a chance to switch and use the Referrer-Policy header. Agreed? [1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.cpp#867
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Reporter | ||
Comment 2•8 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1) > Hey Kamil, I suppose the least we can do is a log a warning to the console > that it's deprecated and also get some telemetry data (somewhere around here > [1]). If not too many pages rely on it, I am fine with removing the code > from CSP. But I suppose we should wait at least 2 cycles to give folks a > chance to switch and use the Referrer-Policy header. Agreed? > > [1] > https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser. > cpp#867 Completely agreed :)
Updated•8 years ago
|
Keywords: dev-doc-needed
Comment 3•8 years ago
|
||
Looks like this is removed in Chrome 56 https://bugs.chromium.org/p/chromium/issues/detail?id=658761
Updated•7 years ago
|
Keywords: site-compat
Assignee | ||
Comment 4•6 years ago
|
||
I'm not sure this is enough. ... and I still have to see how many WPTs are broken by this patch.
Assignee: nobody → amarchesini
Attachment #8973696 -
Flags: review?(ckerschb)
Comment 5•6 years ago
|
||
Comment on attachment 8973696 [details] [diff] [review] csp_referrer.patch Review of attachment 8973696 [details] [diff] [review]: ----------------------------------------------------------------- that looks good to me, thanks and r=me!
Attachment #8973696 -
Flags: review?(ckerschb) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/eeaae6812d82 Remove the "referrer" directive in CSP, r=ckerschb
Comment 7•6 years ago
|
||
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2018/csp-referrer-directive-has-been-removed/
Comment 8•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/eeaae6812d82
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment 9•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/eeaae6812d82
Updated•6 years ago
|
status-firefox51:
affected → ---
Comment 10•6 years ago
|
||
https://developer.mozilla.org/en-US/Firefox/Releases/62#HTTP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer https://github.com/mdn/browser-compat-data/pull/2369
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•