Closed Bug 1754301 Opened 5 months ago Closed 5 months ago

Consider removing security.csp.enable pref

Categories

(Core :: DOM: Security, task, P2)

Desktop
All
task

Tracking

()

RESOLVED FIXED
99 Branch
Tracking Status
firefox99 --- fixed

People

(Reporter: Gijs, Assigned: freddy)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Somehow we have a pref for this.

I'd argue that at this point CSP is such a fundamental part of internet security, and indeed a defense-in-depth mechanism we use ourselves, that it should not be possible anymore to turn it off. Christoph, any reason not to do this?

(I notice we use it in 2 devtools tests and dom/base/test/browser_bug593387.js , for reasons that aren't clear to me off-hand.)

All up for removing prefs - Freddy, you interested in doing that? Should be quick.

Flags: needinfo?(fbraun)

Sure, happy to do it. Do we have someone that we want/need to onboard? Could be a useful first bug if we need one..

Flags: needinfo?(fbraun)

Sure, happy to do it. Do we have someone that we want/need to onboard? Could be a useful first bug if we need one..

Assignee: nobody → fbraun

Apparently, Bugzilla is storing the comment text even after submission, which prepopulated this field when changing the assignee and made me send it twice. Meh :)

Status: NEW → ASSIGNED
Type: defect → task
Priority: -- → P2
Whiteboard: [domsecurity-active]
Depends on: 1755311
Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a32c976b64a8
remove pref security.csp.enable r=ckerschb,mccr8
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

Can you please add this pref back at least in Firefox Developer Edition?

I know that security issue should be considered.
But for developers, they disabled this pref for some reason and they totally know about all the risks.
Take myself as an example, I often include library (written by myself or 3rd library) dynamically in some websites.
It can improve user experience of those websites when I use them. Even if i am not the owner of those websites.

"Open" is the spirit of Firefox. (I still hope so)
Just like that you cannot forbid people to purchase knife just because they may use it to hurt people.
security.csp.enable pref shouldn't be removed in Firefox

(In reply to Grassboy Wu from comment #8)

Can you please add this pref back at least in Firefox Developer Edition?

I don't think so.

and they totally know about all the risks.

I am skeptical about this just for you - I work on the browser and filed this ticket and wouldn't claim that I would fully grok the risk. But even if I were to accept your claim, the people finding this pref copy-pasted around the internet aren't going to understand what they just did in about:config.

Take myself as an example, I often include library (written by myself or 3rd library) dynamically in some websites.
It can improve user experience of those websites when I use them. Even if i am not the owner of those websites.

This should work with webextensions. If you can't get it to work, file a bug with specifics that blocks bug 1267027, and we can fix that.

"Open" is the spirit of Firefox. (I still hope so)
Just like that you cannot forbid people to purchase knife just because they may use it to hurt people.

Indeed, but we don't offer it on a platter to people who intend to do us harm. At-runtime flippable preferences that reduce the security protections that the user rightly assumes in the browser are a bad idea in today's world. Everything that erodes the sandboxing and origin separation we build up around websites is a risk. People who need this feature are technical enough to use an extension for it.

I want to re-emphasize what Gijs says here. There are some architectural risks for Firefox that we can not properly address with these prefs existing.

However, I am also very sympathetic to your user case. I've used the pref myself some times.
But for your local developer setup, I recommend using a WebExtension to override CSP headers. I also know that other folks are successfully using security tools like ZAP Proxy or Burp Suite to remove security headers during testing.

OK, after installing an Extension for Header Modification (ex: ModHeader)
CSP header can be overrided successfully...
Thanks for your recommendation!!

Duplicate of this bug: 1766573
You need to log in before you can comment on or make changes to this bug.