Open
Bug 663566
(csp-w3c-1.0)
Opened 14 years ago
Updated 2 years ago
[meta] Implement Content Security Policy 1.0 per the W3C standard
Categories
(Core :: Security, enhancement)
Core
Security
Tracking
()
NEW
People
(Reporter: bsterne, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
(Keywords: dev-doc-needed, meta, Whiteboard: [doc: see comment#4])
We have a few bugs that need to be fixed to bring Gecko's Content Security Policy into conformance with the W3C standard being developed. I'll use this bug to track that work.
Reporter | ||
Updated•14 years ago
|
Alias: csp-w3c
Updated•13 years ago
|
Comment 1•12 years ago
|
||
Close this as a duplicate of 493857?
Comment 2•12 years ago
|
||
(In reply to Rob Mueller from comment #1) > Close this as a duplicate of 493857? No, this is the next revision of CSP -- the one that satisfies the W3C standard (not our own work in progress). See comment 0.
Comment 3•12 years ago
|
||
I think we should probably land much of these changes in a way so that the new header name ("Content-Security-Policy") is the header parsed for 1.0 compliance. This means the old header "X-Content-Security-Policy" should still work with old syntax, but the new one should only support the actual spec.
Comment 4•12 years ago
|
||
(In reply to Sid Stamm [:geekboy] from comment #3) > I think we should probably land much of these changes in a way so that the > new header name ("Content-Security-Policy") is the header parsed for 1.0 > compliance. This means the old header "X-Content-Security-Policy" should > still work with old syntax, but the new one should only support the actual > spec. That makes sense to me - how long are we going to support the old header ? We should have a plan for removing it eventually IMO. Also maybe we should show a 'this will be deprecated soon' warning when the old header is used when the new one with new syntax lands as well. That would make a good first bug for someone as well perhaps.
Updated•12 years ago
|
Keywords: dev-doc-needed
Whiteboard: [doc: see comment#4]
Comment 5•12 years ago
|
||
Morphing this slightly to specifically be about implementing the CSP 1.0 spec - that doesn't contain meta so I removed that dependency
Depends on: 663570
Summary: Implement Content Security Policy per the W3C standard → Implement Content Security Policy 1.0 per the W3C standard
Comment 6•12 years ago
|
||
We should make sure that our implementation passes the w3c CSP tests here : https://dvcs.w3.org/hg/webappsec/file/746643cbf781/tests/csp/ including the submitted tests.
Comment 7•12 years ago
|
||
Erland Oftedal has created a CSP 1.0 test page, we should make sure our implementation passes these tests : http://csptesting.herokuapp.com/ Source for the tests is at https://github.com/eoftedal/csp-testing Thank you Erland !!
Comment 8•12 years ago
|
||
(In reply to Ian Melven :imelven from comment #7) > Erland Oftedal has created a CSP 1.0 test page, we should make sure our > implementation passes these tests : http://csptesting.herokuapp.com/ > > Source for the tests is at https://github.com/eoftedal/csp-testing > > Thank you Erland !! a note that these use the X-Content-Security-Policy header, our 1.0 compliant implementation in bug 746978 expects to get 1.0 spec compliant policies in the Content-Security-Policy header (see bug 783049 for details)
Comment 9•12 years ago
|
||
Hi. I just updated the csptesting page. It now includes the header without the X- prefix, and you can also remove the old headers by using this URL: http://csptesting.herokuapp.com/?disable_old_headers=true
Comment 10•12 years ago
|
||
(In reply to Erlend from comment #9) > Hi. I just updated the csptesting page. It now includes the header without > the X- prefix, and you can also remove the old headers by using this URL: > http://csptesting.herokuapp.com/?disable_old_headers=true Awesome, thanks very much !
Comment 11•12 years ago
|
||
I'm going to poach this from Brandon as I've been working on the dependent bugs - Brandon, let me know if you have any objections please :)
Assignee: brandon → imelven
Updated•12 years ago
|
Status: NEW → ASSIGNED
Comment 12•12 years ago
|
||
Going to unassign myself and leave this as a purely tracking bug.
Assignee: imelven → nobody
Updated•12 years ago
|
Alias: csp-w3c → csp-w3c-1.0
Updated•12 years ago
|
Component: DOM: Core & HTML → Security
Updated•11 years ago
|
Depends on: CVE-2014-1485
Updated•11 years ago
|
Blocks: csp-legacy-removal
Updated•11 years ago
|
No longer blocks: csp-legacy-removal
Depends on: csp-legacy-removal
Comment 14•6 years ago
|
||
No assignee, updating the status.
Comment 15•6 years ago
|
||
No assignee, updating the status.
Updated•6 years ago
|
Type: defect → enhancement
Updated•6 years ago
|
Summary: Implement Content Security Policy 1.0 per the W3C standard → [meta] Implement Content Security Policy 1.0 per the W3C standard
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•