Bug 663566 (csp-w3c-1.0)

[meta] Implement Content Security Policy 1.0 per the W3C standard

NEW
Unassigned

Status

()

enhancement
8 years ago
3 months ago

People

(Reporter: bsterne, Unassigned)

Tracking

(Depends on 1 bug, Blocks 1 bug, {dev-doc-needed, meta})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [doc: see comment#4], )

We have a few bugs that need to be fixed to bring Gecko's Content Security Policy into conformance with the W3C standard being developed.  I'll use this bug to track that work.
Alias: csp-w3c
Depends on: 663567
Depends on: 663570
Depends on: 664036
Depends on: 763879
Depends on: 764937
Close this as a duplicate of 493857?
(In reply to Rob Mueller from comment #1)
> Close this as a duplicate of 493857?

No, this is the next revision of CSP -- the one that satisfies the W3C standard (not our own work in progress).  See comment 0.
I think we should probably land much of these changes in a way so that the new header name ("Content-Security-Policy") is the header parsed for 1.0 compliance.  This means the old header "X-Content-Security-Policy" should still work with old syntax, but the new one should only support the actual spec.
(In reply to Sid Stamm [:geekboy] from comment #3)
> I think we should probably land much of these changes in a way so that the
> new header name ("Content-Security-Policy") is the header parsed for 1.0
> compliance.  This means the old header "X-Content-Security-Policy" should
> still work with old syntax, but the new one should only support the actual
> spec.

That makes sense to me - how long are we going to support the old header ? We should have a plan for removing it eventually IMO. Also maybe we should show a 'this will be deprecated soon' warning when the old header is used when the new one with new syntax lands as well. That would make a good first bug for someone as well perhaps.
Keywords: dev-doc-needed
Whiteboard: [doc: see comment#4]
Depends on: 780978
Depends on: 783049
No longer depends on: 663570
Morphing this slightly to specifically be about implementing the CSP 1.0 spec - that doesn't contain meta so I removed that dependency
Depends on: 663570
Summary: Implement Content Security Policy per the W3C standard → Implement Content Security Policy 1.0 per the W3C standard
No longer depends on: 663570
We should make sure that our implementation passes the w3c CSP tests here : https://dvcs.w3.org/hg/webappsec/file/746643cbf781/tests/csp/ including the submitted tests.
Erland Oftedal has created a CSP 1.0 test page, we should make sure our implementation passes these tests : http://csptesting.herokuapp.com/

Source for the tests is at https://github.com/eoftedal/csp-testing

Thank you Erland !!
(In reply to Ian Melven :imelven from comment #7)
> Erland Oftedal has created a CSP 1.0 test page, we should make sure our
> implementation passes these tests : http://csptesting.herokuapp.com/
> 
> Source for the tests is at https://github.com/eoftedal/csp-testing
> 
> Thank you Erland !!

a note that these use the X-Content-Security-Policy header, our 1.0 compliant implementation in bug 746978 expects to get 1.0 spec compliant policies in the Content-Security-Policy header (see bug 783049 for details)
Hi. I just updated the csptesting page. It now includes the header without the X- prefix, and you can also remove the old headers by using this URL:
http://csptesting.herokuapp.com/?disable_old_headers=true
(In reply to Erlend from comment #9)
> Hi. I just updated the csptesting page. It now includes the header without
> the X- prefix, and you can also remove the old headers by using this URL:
> http://csptesting.herokuapp.com/?disable_old_headers=true

Awesome, thanks very much !
Depends on: 792161
Depends on: 802872
Depends on: 805929
I'm going to poach this from Brandon as I've been working on the dependent bugs - Brandon, let me know if you have any objections please :)
Assignee: brandon → imelven
Status: NEW → ASSIGNED
Depends on: 702176
Going to unassign myself and leave this as a purely tracking bug.
Assignee: imelven → nobody
Alias: csp-w3c → csp-w3c-1.0
Depends on: 821877
Depends on: 837682
Depends on: 842657
Component: DOM: Core & HTML → Security
Depends on: 607067
Depends on: 858780
Depends on: 858787
Depends on: 858789
Depends on: 858836
Depends on: 873302
Depends on: 699586
Depends on: 820719
Blocks: 826805
Depends on: 887974
Depends on: 888172
Depends on: 886943
Depends on: 916054
No longer depends on: 873302
Depends on: 1048048
No longer depends on: 878608
No longer depends on: 763930
No assignee, updating the status.
Status: ASSIGNED → NEW
No assignee, updating the status.
No assignee, updating the status.
Type: defect → enhancement
Summary: Implement Content Security Policy 1.0 per the W3C standard → [meta] Implement Content Security Policy 1.0 per the W3C standard
You need to log in before you can comment on or make changes to this bug.