Bug 663566 (csp-w3c-1.0)

Implement Content Security Policy 1.0 per the W3C standard

ASSIGNED
Unassigned

Status

()

Core
Security
ASSIGNED
6 years ago
2 years ago

People

(Reporter: bsterne, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {dev-doc-needed, meta})

Trunk
dev-doc-needed, meta
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [doc: see comment#4], URL)

(Reporter)

Description

6 years ago
We have a few bugs that need to be fixed to bring Gecko's Content Security Policy into conformance with the W3C standard being developed.  I'll use this bug to track that work.
(Reporter)

Updated

6 years ago
Alias: csp-w3c
(Reporter)

Updated

6 years ago
Depends on: 663567
(Reporter)

Updated

6 years ago
Depends on: 663570
(Reporter)

Updated

6 years ago
Depends on: 664036
Depends on: 737064, 746978
Depends on: 763879

Updated

5 years ago
Depends on: 764937

Comment 1

5 years ago
Close this as a duplicate of 493857?
(In reply to Rob Mueller from comment #1)
> Close this as a duplicate of 493857?

No, this is the next revision of CSP -- the one that satisfies the W3C standard (not our own work in progress).  See comment 0.
Blocks: 493857
I think we should probably land much of these changes in a way so that the new header name ("Content-Security-Policy") is the header parsed for 1.0 compliance.  This means the old header "X-Content-Security-Policy" should still work with old syntax, but the new one should only support the actual spec.

Comment 4

5 years ago
(In reply to Sid Stamm [:geekboy] from comment #3)
> I think we should probably land much of these changes in a way so that the
> new header name ("Content-Security-Policy") is the header parsed for 1.0
> compliance.  This means the old header "X-Content-Security-Policy" should
> still work with old syntax, but the new one should only support the actual
> spec.

That makes sense to me - how long are we going to support the old header ? We should have a plan for removing it eventually IMO. Also maybe we should show a 'this will be deprecated soon' warning when the old header is used when the new one with new syntax lands as well. That would make a good first bug for someone as well perhaps.

Updated

5 years ago
Keywords: dev-doc-needed
Whiteboard: [doc: see comment#4]
Depends on: 780978

Updated

5 years ago
Depends on: 783049

Updated

5 years ago
No longer depends on: 663570

Comment 5

5 years ago
Morphing this slightly to specifically be about implementing the CSP 1.0 spec - that doesn't contain meta so I removed that dependency
Depends on: 663570
Summary: Implement Content Security Policy per the W3C standard → Implement Content Security Policy 1.0 per the W3C standard

Updated

5 years ago
No longer depends on: 663570

Comment 6

5 years ago
We should make sure that our implementation passes the w3c CSP tests here : https://dvcs.w3.org/hg/webappsec/file/746643cbf781/tests/csp/ including the submitted tests.

Comment 7

5 years ago
Erland Oftedal has created a CSP 1.0 test page, we should make sure our implementation passes these tests : http://csptesting.herokuapp.com/

Source for the tests is at https://github.com/eoftedal/csp-testing

Thank you Erland !!

Comment 8

5 years ago
(In reply to Ian Melven :imelven from comment #7)
> Erland Oftedal has created a CSP 1.0 test page, we should make sure our
> implementation passes these tests : http://csptesting.herokuapp.com/
> 
> Source for the tests is at https://github.com/eoftedal/csp-testing
> 
> Thank you Erland !!

a note that these use the X-Content-Security-Policy header, our 1.0 compliant implementation in bug 746978 expects to get 1.0 spec compliant policies in the Content-Security-Policy header (see bug 783049 for details)

Comment 9

5 years ago
Hi. I just updated the csptesting page. It now includes the header without the X- prefix, and you can also remove the old headers by using this URL:
http://csptesting.herokuapp.com/?disable_old_headers=true

Comment 10

5 years ago
(In reply to Erlend from comment #9)
> Hi. I just updated the csptesting page. It now includes the header without
> the X- prefix, and you can also remove the old headers by using this URL:
> http://csptesting.herokuapp.com/?disable_old_headers=true

Awesome, thanks very much !

Updated

5 years ago
Depends on: 792161

Updated

5 years ago
Depends on: 802872
Depends on: 805929

Comment 11

5 years ago
I'm going to poach this from Brandon as I've been working on the dependent bugs - Brandon, let me know if you have any objections please :)
Assignee: brandon → imelven

Updated

5 years ago
Status: NEW → ASSIGNED

Updated

5 years ago
Depends on: 702176

Comment 12

5 years ago
Going to unassign myself and leave this as a purely tracking bug.
Assignee: imelven → nobody

Updated

5 years ago
Alias: csp-w3c → csp-w3c-1.0

Updated

5 years ago
Depends on: 821877

Updated

5 years ago
Depends on: 837682

Updated

5 years ago
Depends on: 842657

Updated

4 years ago
Component: DOM: Core & HTML → Security
Depends on: 607067

Updated

4 years ago
Depends on: 858780

Updated

4 years ago
Depends on: 858787

Updated

4 years ago
Depends on: 858789

Updated

4 years ago
Depends on: 858836
Depends on: 873302
Depends on: 882060

Updated

4 years ago
Depends on: 699586

Updated

4 years ago
Depends on: 820719
Depends on: 878608
Depends on: 763930
Depends on: 824652
Depends on: 843311
Depends on: 885433
Blocks: 826805

Updated

4 years ago
Depends on: 887974

Updated

4 years ago
Depends on: 888172
Depends on: 836922

Updated

4 years ago
Depends on: 886943
Depends on: 910139

Updated

4 years ago
Depends on: 916054
Depends on: 921493
Depends on: 937025
Blocks: 949533

Updated

4 years ago
No longer depends on: 873302
No longer blocks: 949533
Depends on: 949533

Updated

3 years ago
Depends on: 1048048
No longer depends on: 878608
No longer depends on: 763930
You need to log in before you can comment on or make changes to this bug.