Consider removing security.csp.enable pref
Categories
(Core :: DOM: Security, task, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox99 | --- | fixed |
People
(Reporter: Gijs, Assigned: freddy)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
Somehow we have a pref for this.
I'd argue that at this point CSP is such a fundamental part of internet security, and indeed a defense-in-depth mechanism we use ourselves, that it should not be possible anymore to turn it off. Christoph, any reason not to do this?
(I notice we use it in 2 devtools tests and dom/base/test/browser_bug593387.js , for reasons that aren't clear to me off-hand.)
Comment 1•3 years ago
|
||
All up for removing prefs - Freddy, you interested in doing that? Should be quick.
Assignee | ||
Comment 2•3 years ago
|
||
Sure, happy to do it. Do we have someone that we want/need to onboard? Could be a useful first bug if we need one..
Assignee | ||
Comment 3•3 years ago
|
||
Sure, happy to do it. Do we have someone that we want/need to onboard? Could be a useful first bug if we need one..
Assignee | ||
Comment 4•3 years ago
|
||
Apparently, Bugzilla is storing the comment text even after submission, which prepopulated this field when changing the assignee and made me send it twice. Meh :)
Updated•3 years ago
|
Assignee | ||
Comment 5•3 years ago
|
||
Comment 7•3 years ago
|
||
bugherder |
Comment 8•3 years ago
|
||
Can you please add this pref back at least in Firefox Developer Edition?
I know that security issue should be considered.
But for developers, they disabled this pref for some reason and they totally know about all the risks.
Take myself as an example, I often include library (written by myself or 3rd library) dynamically in some websites.
It can improve user experience of those websites when I use them. Even if i am not the owner of those websites.
"Open" is the spirit of Firefox. (I still hope so)
Just like that you cannot forbid people to purchase knife just because they may use it to hurt people.
security.csp.enable pref shouldn't be removed in Firefox
Reporter | ||
Comment 9•3 years ago
|
||
(In reply to Grassboy Wu from comment #8)
Can you please add this pref back at least in Firefox Developer Edition?
I don't think so.
and they totally know about all the risks.
I am skeptical about this just for you - I work on the browser and filed this ticket and wouldn't claim that I would fully grok the risk. But even if I were to accept your claim, the people finding this pref copy-pasted around the internet aren't going to understand what they just did in about:config.
Take myself as an example, I often include library (written by myself or 3rd library) dynamically in some websites.
It can improve user experience of those websites when I use them. Even if i am not the owner of those websites.
This should work with webextensions. If you can't get it to work, file a bug with specifics that blocks bug 1267027, and we can fix that.
"Open" is the spirit of Firefox. (I still hope so)
Just like that you cannot forbid people to purchase knife just because they may use it to hurt people.
Indeed, but we don't offer it on a platter to people who intend to do us harm. At-runtime flippable preferences that reduce the security protections that the user rightly assumes in the browser are a bad idea in today's world. Everything that erodes the sandboxing and origin separation we build up around websites is a risk. People who need this feature are technical enough to use an extension for it.
Assignee | ||
Comment 10•3 years ago
•
|
||
I want to re-emphasize what Gijs says here. There are some architectural risks for Firefox that we can not properly address with these prefs existing.
However, I am also very sympathetic to your use case. I've used the pref myself some times.
But for your local developer setup, I recommend using a WebExtension to override CSP headers. I also know that other folks are successfully using security tools like ZAP Proxy or Burp Suite to remove security headers during testing.
Comment 11•3 years ago
|
||
OK, after installing an Extension for Header Modification (ex: ModHeader)
CSP header can be overrided successfully...
Thanks for your recommendation!!
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Description
•