Open Bug 1548468 Opened 5 years ago Updated 1 year ago

Move CSP off ExpandedPrincipal

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: ckerschb, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Within Bug 965637 we are moving the CSP from the Principal into the Client except for ExpandedPrincipals. This is meant as a follow up bug to Bug 965637 to actually move the CSP off ExpandedPrincipals as well. At the time of this writing it's not entirely clear where the CSP for expandedPrincipals should live.

Type: defect → task
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Kris, within Bug 965637 we are going to move the CSP from the Principal into the Client except for extensions where we (for now) keep the CSP on ExpandedPrincipals. Within this bug we would like to get the CSP off the Expanded Principal and move it somewhere else - any preference or suggestions where the CSP for extensions could remain?

Blocks: 1443925
Flags: needinfo?(kmaglione+bmo)
Blocks: 1716730
Assignee: nobody → ngogge
Status: NEW → ASSIGNED
Depends on: 1743042

There are three callers of ExpandedPrincipal::SetCsp.

You should also clean up the work-around that we added in bug 1741600 to avoid memory leaks (caused by nsCSPContext and ExpandedPrincipal having a strong reference to each other).

There is also some dead code that should be removed, as it will definitely not be needed any more once you've moved nsCSPContext off ExpandedPrincipal: https://searchfox.org/mozilla-central/rev/7fe9421af35256a95acc4620e9e0b76df7867287/dom/security/nsCSPContext.h#127-131
(for the history behind that code, see https://bugzilla.mozilla.org/show_bug.cgi?id=1741600#c7).

Flags: needinfo?(kmaglione+bmo)
Assignee: ngogge → nobody
Status: ASSIGNED → NEW
See Also: → 1766813
Severity: normal → S3
See Also: → 1587494
You need to log in before you can comment on or make changes to this bug.