deprecating the "referrer" directive in CSP

RESOLVED FIXED in Firefox 62

Status

()

P3
normal
RESOLVED FIXED
3 years ago
8 months ago

People

(Reporter: kjozwiak, Assigned: baku)

Tracking

(Blocks: 2 bugs, {dev-doc-complete, site-compat})

51 Branch
mozilla62
dev-doc-complete, site-compat
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox62 fixed)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The W3C has recently added tests [1] under the Web Platform Test Runner that checks and ensures that browsers are not using the CSP "referrer" directive to set a Referrer Policy which has been replaced by the Referrer-Policy header [2].

Chris, would removing the CSP "referrer" directive cause any compatibility issues? Is the directive still widely used in the web?

[1] https://w3c-test.org/referrer-policy/generic/unsupported-csp-referrer-directive.html
[2] https://github.com/w3c/web-platform-tests/pull/3416
(Reporter)

Updated

3 years ago
Flags: needinfo?(ckerschb)
Hey Kamil, I suppose the least we can do is a log a warning to the console that it's deprecated and also get some telemetry data (somewhere around here [1]). If not too many pages rely on it, I am fine with removing the code from CSP. But I suppose we should wait at least 2 cycles to give folks a chance to switch and use the Referrer-Policy header. Agreed?

[1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.cpp#867
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
(Reporter)

Comment 2

3 years ago
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1)
> Hey Kamil, I suppose the least we can do is a log a warning to the console
> that it's deprecated and also get some telemetry data (somewhere around here
> [1]). If not too many pages rely on it, I am fine with removing the code
> from CSP. But I suppose we should wait at least 2 cycles to give folks a
> chance to switch and use the Referrer-Policy header. Agreed?
> 
> [1]
> https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.
> cpp#867

Completely agreed :)
Depends on: 1307366

Updated

a year ago
Blocks: 1409600
(Assignee)

Comment 4

11 months ago
I'm not sure this is enough. ... and I still have to see how many WPTs are broken by this patch.
Assignee: nobody → amarchesini
Attachment #8973696 - Flags: review?(ckerschb)
Comment on attachment 8973696 [details] [diff] [review]
csp_referrer.patch

Review of attachment 8973696 [details] [diff] [review]:
-----------------------------------------------------------------

that looks good to me, thanks and r=me!
Attachment #8973696 - Flags: review?(ckerschb) → review+
(Assignee)

Updated

11 months ago
Blocks: 1455236

Comment 6

11 months ago
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eeaae6812d82
Remove the "referrer" directive in CSP, r=ckerschb

Comment 8

11 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/eeaae6812d82
Status: NEW → RESOLVED
Last Resolved: 11 months ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
status-firefox51: affected → ---
You need to log in before you can comment on or make changes to this bug.