Closed
Bug 1413124
Opened 8 years ago
Closed 8 years ago
CSP: child-src/frame-src: which is deprecated?
Categories
(Developer Documentation Graveyard :: Protocols, defect, P1)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: redeyes2015, Assigned: fs)
References
()
Details
:: Developer Documentation Request
Request Type: Correction
Gecko Version: unspecified
Technical Contact:
:: Details
I just saw Firefox Developer Edition saying:
Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.
So, I checked up MDN, but found that [child-src] is marked deprecated, and suggested to be replaced with 'worker-src'
and 'frame-src'. https://content-security-policy.com/ gives the same info as Fx DE.
[child-src]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
I assume it is the MDN page that needs update. Hope this is the right place to report. If not... sorry! Just waive this away.
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → fscholz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: P5 → P1
|
|
Assignee | |
Comment 1•8 years ago
|
||
:ckerschb or :freddyb, do you know which of the two CSP directives is actually deprecated?
The MDN deprecation warning is based on the CSP3 spec:
https://w3c.github.io/webappsec-csp/#directive-child-src
https://w3c.github.io/webappsec-csp/#directive-frame-src
The console is saying "Content Security Policy: Directive ‘frame-src’ has been deprecated." for some reason.
Flags: needinfo?(fbraun)
Flags: needinfo?(ckerschb)
|
||
Comment 2•8 years ago
|
||
There was some discussion around that, but I can't recall if it's been decided (and whether that decision is in-spec yet).
I hope Christoph remembers.
Flags: needinfo?(fbraun)
|
||
Comment 3•8 years ago
|
||
I assume this bug predates the changes within Bug 1302667 hence the confusion. CSP Level 3 [1] deprecates child-src and un-deprecates frame-src. Within Firefox those changes landed for 58. I just double checked and Firefox should log a deprecation warning for child-src [2] but not for frame-src.
To sum it up, Comment 0, in particular [3] is correct. If we still (after 58) log frame-src is deprecated as indicated within Comment 1, then this is a bug and we need to fix it.
[1] https://www.w3.org/TR/CSP3/#changes-from-level-2
[2] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.cpp#1115
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
Flags: needinfo?(ckerschb)
|
|
Assignee | |
Comment 4•8 years ago
|
||
Thanks for the clarifications!
I also just found https://github.com/foundeo/content-security-policy.com/issues/18 for https://content-security-policy.com/
So, I think MDN is correct as is and Firefox is throwing correct warnings starting with version 58.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
|
||
Comment 5•7 years ago
|
||
Hi,
I can't see anything in the spec of CSP3 to suggest that child-src is deprecated, it's simply a fallback for frame-src and worker-src, and as such defining just child-src should be valid. Therefore I don't believe Firefox should be warning that child-src is deprecated, as it is in version 58.0.
https://www.w3.org/TR/CSP3/#changes-from-level-2
|
Reporter | |
Comment 6•7 years ago
|
||
Hi:
I got curious, and just did some digging.
W3C decided to deprecate child-src on 2016/11/14: https://github.com/w3c/webappsec-csp/issues/145 , and the change is reflected on https://w3c.github.io/webappsec-csp/#changes-from-level-2 .
However CSP3 was "last published" on 2016/09/13 as said on https://www.w3.org/TR/CSP3/ , and did not include the aforementioned change, like Colin Baker said.
Whether Firefox should reflect an "not-published-yet" change is beyond my knowledge. But I hope this helps.
You need to log in
before you can comment on or make changes to this bug.
Description
•