It should be possible for a protocol implementation to provide a CSP or sandbox flags or something

NEW
Unassigned

Status

()

P3
normal
2 years ago
11 months ago

People

(Reporter: bzbarsky, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(firefox53 affected)

Details

(Whiteboard: [necko-backlog])

See bug 1316256 comment 23.

Right now nsDocument::InitCSP works like so:


  nsCOMPtr<nsIHttpChannel> httpChannel;
  nsresult rv = GetHttpChannelHelper(aChannel, getter_AddRefs(httpChannel));
...

  if (httpChannel) {
    httpChannel->GetResponseHeader(
        NS_LITERAL_CSTRING("content-security-policy"),
        tCspHeaderValue);

to get a string to parse a CSP from.  This is fine for HTTP, but other protocols are left unable to provide a CSP if they want to do so.

We should have an nsIChannel API for getting the CSP string, which HTTP would implement by calling GetResponseHeader.  Then Thunderbird can provide a CSP that will sandbox things the way it wants.
Whiteboard: [necko-backlog]
You need to log in before you can comment on or make changes to this bug.