1754301 - Consider removing security.csp.enable pref

Status: RESOLVED FIXED

(Core :: DOM: Security, task, P2)

Description

[:Gijs (he/him)]

Somehow we have a pref for this.

I'd argue that at this point CSP is such a fundamental part of internet security, and indeed a defense-in-depth mechanism we use ourselves, that it should not be possible anymore to turn it off. Christoph, any reason not to do this?

(I notice we use it in 2 devtools tests and dom/base/test/browser_bug593387.js , for reasons that aren't clear to me off-hand.)

Comment 1

[Christoph Kerschbaumer [:ckerschb, back on Sept 9th]]

All up for removing prefs - Freddy, you interested in doing that? Should be quick.

Comment 2

[Frederik Braun [:freddy]]

Sure, happy to do it. Do we have someone that we want/need to onboard? Could be a useful first bug if we need one..

Comment 3

[Frederik Braun [:freddy]]

Sure, happy to do it. Do we have someone that we want/need to onboard? Could be a useful first bug if we need one..

Comment 4

[Frederik Braun [:freddy]]

Apparently, Bugzilla is storing the comment text even after submission, which prepopulated this field when changing the assignee and made me send it twice. Meh :)

Comment 5

[Frederik Braun [:freddy]]

Attachment: Bug 1754301 - remove pref security.csp.enable r?ckerschb

Comment 6

[Pulsebot]

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a32c976b64a8
remove pref security.csp.enable r=ckerschb,mccr8

Comment 7

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/a32c976b64a8

Comment 8

[Grassboy Wu]

Can you please add this pref back at least in Firefox Developer Edition?

I know that security issue should be considered.
But for developers, they disabled this pref for some reason and they totally know about all the risks.
Take myself as an example, I often include library (written by myself or 3rd library) dynamically in some websites.
It can improve user experience of those websites when I use them. Even if i am not the owner of those websites.

"Open" is the spirit of Firefox. (I still hope so)
Just like that you cannot forbid people to purchase knife just because they may use it to hurt people.
security.csp.enable pref shouldn't be removed in Firefox

Comment 9

[:Gijs (he/him)]

(In reply to Grassboy Wu from comment #8)

Can you please add this pref back at least in Firefox Developer Edition?

I don't think so.

and they totally know about all the risks.

I am skeptical about this just for you - I work on the browser and filed this ticket and wouldn't claim that I would fully grok the risk. But even if I were to accept your claim, the people finding this pref copy-pasted around the internet aren't going to understand what they just did in about:config.

Take myself as an example, I often include library (written by myself or 3rd library) dynamically in some websites.
It can improve user experience of those websites when I use them. Even if i am not the owner of those websites.

This should work with webextensions. If you can't get it to work, file a bug with specifics that blocks bug 1267027, and we can fix that.

"Open" is the spirit of Firefox. (I still hope so)
Just like that you cannot forbid people to purchase knife just because they may use it to hurt people.

Indeed, but we don't offer it on a platter to people who intend to do us harm. At-runtime flippable preferences that reduce the security protections that the user rightly assumes in the browser are a bad idea in today's world. Everything that erodes the sandboxing and origin separation we build up around websites is a risk. People who need this feature are technical enough to use an extension for it.

Comment 10

[Frederik Braun [:freddy]]

I want to re-emphasize what Gijs says here. There are some architectural risks for Firefox that we can not properly address with these prefs existing.

However, I am also very sympathetic to your use case. I've used the pref myself some times.
But for your local developer setup, I recommend using a WebExtension to override CSP headers. I also know that other folks are successfully using security tools like ZAP Proxy or Burp Suite to remove security headers during testing.

Comment 11

[Grassboy Wu]

OK, after installing an Extension for Header Modification (ex: ModHeader)
CSP header can be overrided successfully...
Thanks for your recommendation!!

Comment 13

[Master ? [:masterquestionable]]

    [ Quote Gijs @ CE 2022-03-22 00:00:56 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c9
    I don't think so.
    ... the people finding this pref copy-pasted around the internet aren't going to understand what they just did in about:config. ]
<^>    The problem is anyway unsolvable.
    Should what intends to achieve `rm -rf /` be nevertheless unachievable merely because there might be a monkey at the keyboard?

    [ Quote Gijs @ CE 2022-03-22 00:00:56 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c9
    At-runtime flippable preferences that reduce the security protections that the user rightly assumes in the browser are a bad idea in today's world.
    Everything that erodes the sandboxing and origin separation we build up around websites is a risk. ]
<^>    Why not even then consider removing "javascript.enabled" wholesale and make the browser behave as if the pref was locked to false? (or outright removing JavaScript support, for the good of security)

    [ Quote Frederik Braun @ CE 2022-03-22 08:31:59 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c10
    There are some architectural risks for Firefox that we can not properly address with these prefs existing. ]
<^>    The true risks are not indeed the configs but things far beyond: the Web Programming Interface in general. (mostly, JavaScript)

    ----

    [ Quote Frederik Braun @ CE 2022-03-22 08:31:59 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c10
    I recommend using a WebExtension to override CSP headers. ]
<.>    [ Quote Gijs @ CE 2022-03-22 00:00:56 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c9
    People who need this feature are technical enough to use an extension for it. ]
<^>    To make an extension reliably working for this purpose:
    .
    Having uBlock Origin dropped its current peculiar limitations on response header filtering (see # References):
[[
    *##^responseheader( Content-Security-Policy )
    *##^responseheader( Content-Security-Policy-Report-Only )
    *##^responseheader( X-Content-Security-Policy )
    *##^responseheader( X-Content-Security-Policy-Report-Only )
!    *##^responseheader( X-Webkit-CSP )
!    *##^responseheader( X-Webkit-CSP-Report-Only )
    *##^meta[http-equiv="Content-Security-Policy"i]
    *##^meta[http-equiv="X-Content-Security-Policy"i]
!    *##^meta[http-equiv="X-Webkit-CSP"i]
]]
    And the filtering wouldn't work in Chromium due to API limitations: [
    |*| https://stackoverflow.com/q/61711565#comment109157826_61711565
    |*| https://github.com/uBlockOrigin/uBlock-issues/wiki/uBlock-Origin-works-best-on-Firefox#html-filtering
    |*| https://www.google.com/search?hl=en&gl=us&num=10&q=%22Chrome%22|%22Chromium%22+%22CSP%22|%22Content-Security-Policy%22+bypass|remove ]


=== References ===

    CSP:
    |*| https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    |*| https://caniuse.com/contentsecuritypolicy
    |*| https://content-security-policy.com/
    |*| https://www.google.com/search?hl=en&gl=us&num=10&q=%22X-Content-Security-Policy-Report-Only%22
    |*| https://www.google.com/search?hl=en&gl=us&num=10&q=%22Content-Security-Policy-Report-Only%22+site:w3.org
    |*| https://www.w3.org/TR/CSP2/#delivery-html-meta-element
    |*| https://www.w3.org/TR/2012/CR-CSP-20121115/

    uBlock Origin:
    |*| https://github.com/uBlockOrigin/uBlock-issues/wiki/Dashboard:-My-filters
    |*| https://github.com/uBlockOrigin/uBlock-issues/wiki/Static-filter-syntax#specific-generic
    |*| https://github.com/uBlockOrigin/uBlock-issues/wiki/Static-filter-syntax#html-filters

    CSS:
    |*| https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors

Comment 14

[Master ? [:masterquestionable]]

    "off-topic" for Too Long Didn't Read?..

    Further discussions welcome [ https://github.com/MasterInQuestion/talk/discussions ], no matter off-topic.