Last Comment Bug 663566 - (csp-w3c-1.0) Implement Content Security Policy 1.0 per the W3C standard
(csp-w3c-1.0)
: Implement Content Security Policy 1.0 per the W3C standard
Status: ASSIGNED
[doc: see comment#4]
: dev-doc-needed, meta
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- normal with 7 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
https://dvcs.w3.org/hg/content-securi...
Depends on: 937025 607067 663567 664036 699586 702176 737064 746978 763879 764937 780978 783049 792161 802872 805929 820719 821877 824652 836922 837682 842657 843311 858780 858787 858789 858836 882060 885433 886943 887974 888172 CVE-2014-1485 916054 921493 csp-legacy-removal 1048048
Blocks: CSP 826805
  Show dependency treegraph
 
Reported: 2011-06-10 16:48 PDT by Brandon Sterne (:bsterne)
Modified: 2015-07-05 02:14 PDT (History)
22 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Brandon Sterne (:bsterne) 2011-06-10 16:48:47 PDT
We have a few bugs that need to be fixed to bring Gecko's Content Security Policy into conformance with the W3C standard being developed.  I'll use this bug to track that work.
Comment 1 Rob Mueller 2012-06-18 23:51:20 PDT
Close this as a duplicate of 493857?
Comment 2 Sid Stamm [:geekboy or :sstamm] 2012-06-19 14:04:04 PDT
(In reply to Rob Mueller from comment #1)
> Close this as a duplicate of 493857?

No, this is the next revision of CSP -- the one that satisfies the W3C standard (not our own work in progress).  See comment 0.
Comment 3 Sid Stamm [:geekboy or :sstamm] 2012-08-03 15:06:44 PDT
I think we should probably land much of these changes in a way so that the new header name ("Content-Security-Policy") is the header parsed for 1.0 compliance.  This means the old header "X-Content-Security-Policy" should still work with old syntax, but the new one should only support the actual spec.
Comment 4 Ian Melven :imelven 2012-08-03 15:58:58 PDT
(In reply to Sid Stamm [:geekboy] from comment #3)
> I think we should probably land much of these changes in a way so that the
> new header name ("Content-Security-Policy") is the header parsed for 1.0
> compliance.  This means the old header "X-Content-Security-Policy" should
> still work with old syntax, but the new one should only support the actual
> spec.

That makes sense to me - how long are we going to support the old header ? We should have a plan for removing it eventually IMO. Also maybe we should show a 'this will be deprecated soon' warning when the old header is used when the new one with new syntax lands as well. That would make a good first bug for someone as well perhaps.
Comment 5 Ian Melven :imelven 2012-08-31 12:08:58 PDT
Morphing this slightly to specifically be about implementing the CSP 1.0 spec - that doesn't contain meta so I removed that dependency
Comment 6 Ian Melven :imelven 2012-09-01 12:24:49 PDT
We should make sure that our implementation passes the w3c CSP tests here : https://dvcs.w3.org/hg/webappsec/file/746643cbf781/tests/csp/ including the submitted tests.
Comment 7 Ian Melven :imelven 2012-09-07 14:17:11 PDT
Erland Oftedal has created a CSP 1.0 test page, we should make sure our implementation passes these tests : http://csptesting.herokuapp.com/

Source for the tests is at https://github.com/eoftedal/csp-testing

Thank you Erland !!
Comment 8 Ian Melven :imelven 2012-09-14 16:52:16 PDT
(In reply to Ian Melven :imelven from comment #7)
> Erland Oftedal has created a CSP 1.0 test page, we should make sure our
> implementation passes these tests : http://csptesting.herokuapp.com/
> 
> Source for the tests is at https://github.com/eoftedal/csp-testing
> 
> Thank you Erland !!

a note that these use the X-Content-Security-Policy header, our 1.0 compliant implementation in bug 746978 expects to get 1.0 spec compliant policies in the Content-Security-Policy header (see bug 783049 for details)
Comment 9 Erlend 2012-09-15 01:35:19 PDT
Hi. I just updated the csptesting page. It now includes the header without the X- prefix, and you can also remove the old headers by using this URL:
http://csptesting.herokuapp.com/?disable_old_headers=true
Comment 10 Ian Melven :imelven 2012-09-15 08:23:42 PDT
(In reply to Erlend from comment #9)
> Hi. I just updated the csptesting page. It now includes the header without
> the X- prefix, and you can also remove the old headers by using this URL:
> http://csptesting.herokuapp.com/?disable_old_headers=true

Awesome, thanks very much !
Comment 11 Ian Melven :imelven 2012-12-08 15:01:02 PST
I'm going to poach this from Brandon as I've been working on the dependent bugs - Brandon, let me know if you have any objections please :)
Comment 12 Ian Melven :imelven 2013-01-22 16:45:26 PST
Going to unassign myself and leave this as a purely tracking bug.

Note You need to log in before you can comment on or make changes to this bug.