663566 - (csp-w3c-1.0) [meta] Implement Content Security Policy 1.0 per the W3C standard

Status: NEW

(Core :: Security, enhancement)

Description

[Brandon Sterne (:bsterne)]

We have a few bugs that need to be fixed to bring Gecko's Content Security Policy into conformance with the W3C standard being developed.  I'll use this bug to track that work.

Comment 1

[Rob Mueller]

Close this as a duplicate of 493857?

Comment 2

[Sid Stamm [:geekboy or :sstamm]]

(In reply to Rob Mueller from comment #1)
> Close this as a duplicate of 493857?

No, this is the next revision of CSP -- the one that satisfies the W3C standard (not our own work in progress).  See comment 0.

Comment 3

[Sid Stamm [:geekboy or :sstamm]]

I think we should probably land much of these changes in a way so that the new header name ("Content-Security-Policy") is the header parsed for 1.0 compliance.  This means the old header "X-Content-Security-Policy" should still work with old syntax, but the new one should only support the actual spec.

Comment 4

[Ian Melven :imelven]

(In reply to Sid Stamm [:geekboy] from comment #3)
> I think we should probably land much of these changes in a way so that the
> new header name ("Content-Security-Policy") is the header parsed for 1.0
> compliance.  This means the old header "X-Content-Security-Policy" should
> still work with old syntax, but the new one should only support the actual
> spec.

That makes sense to me - how long are we going to support the old header ? We should have a plan for removing it eventually IMO. Also maybe we should show a 'this will be deprecated soon' warning when the old header is used when the new one with new syntax lands as well. That would make a good first bug for someone as well perhaps.

Comment 5

[Ian Melven :imelven]

Morphing this slightly to specifically be about implementing the CSP 1.0 spec - that doesn't contain meta so I removed that dependency

Comment 6

[Ian Melven :imelven]

We should make sure that our implementation passes the w3c CSP tests here : https://dvcs.w3.org/hg/webappsec/file/746643cbf781/tests/csp/ including the submitted tests.

Comment 7

[Ian Melven :imelven]

Erland Oftedal has created a CSP 1.0 test page, we should make sure our implementation passes these tests : http://csptesting.herokuapp.com/

Source for the tests is at https://github.com/eoftedal/csp-testing

Thank you Erland !!

Comment 8

[Ian Melven :imelven]

(In reply to Ian Melven :imelven from comment #7)
> Erland Oftedal has created a CSP 1.0 test page, we should make sure our
> implementation passes these tests : http://csptesting.herokuapp.com/
> 
> Source for the tests is at https://github.com/eoftedal/csp-testing
> 
> Thank you Erland !!

a note that these use the X-Content-Security-Policy header, our 1.0 compliant implementation in bug 746978 expects to get 1.0 spec compliant policies in the Content-Security-Policy header (see bug 783049 for details)

Comment 9

[Erlend Oftedal]

Hi. I just updated the csptesting page. It now includes the header without the X- prefix, and you can also remove the old headers by using this URL:
http://csptesting.herokuapp.com/?disable_old_headers=true

Comment 10

[Ian Melven :imelven]

(In reply to Erlend from comment #9)
> Hi. I just updated the csptesting page. It now includes the header without
> the X- prefix, and you can also remove the old headers by using this URL:
> http://csptesting.herokuapp.com/?disable_old_headers=true

Awesome, thanks very much !

Comment 11

[Ian Melven :imelven]

I'm going to poach this from Brandon as I've been working on the dependent bugs - Brandon, let me know if you have any objections please :)

Comment 12

[Ian Melven :imelven]

Going to unassign myself and leave this as a purely tracking bug.

Comment 13

[Sylvestre Ledru [:Sylvestre]]

No assignee, updating the status.

Comment 14

[Sylvestre Ledru [:Sylvestre]]

No assignee, updating the status.

Comment 15

[Sylvestre Ledru [:Sylvestre]]

No assignee, updating the status.