Closed Bug 797657 Opened 12 years ago Closed 12 years ago

Change default CSP to desired policy for certified apps

Categories

(Core :: General, defect, P2)

Product:
Core
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
B2G C2 (20nov-10dec)
Project Flags:
blocking-basecamp +
Tracking Flags:
Tracking Status
firefox18 --- fixed
firefox19 --- fixed
firefox20 --- fixed

People

(Reporter: sicking, Assigned: ochameau)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

Bug 797657: Change default CSP to desired policy for certified apps
1.38 KB, patch
sicking
: review+
Details | Diff | Splinter Review 
Right now we had to adjust the policy to allow inline scripts and stylesheets since otherwise some apps broke. We should flip it back and find all cases which gives warnings and fix those.
Depends on: 799997
Priority: -- → P2
Depends on: 796739
Why don't they use 'unsafe-inline' (or obsolete 'inline-script')?
Why don't we require to use CSP properly to certify them?

Privileged or certified apps should be more secure than normal web apps.
I believe it's better to help app developers, not loose security of our OS.
That's exactly why we have this bug filed.
Blocks: 807304
I set the CSP prefs manually in system/b2g/defaults/pref/user.js and everything seems to still work.  Would be nice if someone else wants to verify, but then I say we flip the switch.  I used:
pref("security.apps.certified.CSP.default", "default-src *; script-src 'self'; object-src 'none'; style-src 'self'");
Milestoning for C2 (deadline of 12/10), as this meets the criteria of "known P2 bugs found before or during C1".
Target Milestone: --- → B2G C2 (20nov-10dec)
Assignee: nobody → poirot.alex
Comment on attachment 682108 [details] [diff] [review]
Bug 797657: Change default CSP to desired policy for certified apps

See bug 796739 comment 30 for a description about existing CSP violation still alive in gaia. We would like to wait for bug 796739 to be closed before landing this patch.
Attachment #682108 - Flags: review?(jonas)
Comment on attachment 682108 [details] [diff] [review]
Bug 797657: Change default CSP to desired policy for certified apps

Review of attachment 682108 [details] [diff] [review]:
-----------------------------------------------------------------

Assuming that you've done a lot of testing to make sure that this doesn't break anything, r=me
Attachment #682108 - Flags: review?(jonas) → review+
Is this ready to land, Alex?
Flags: needinfo?(poirot.alex)
Still need attachment 682083 [details] from bug 796739.
I'll try to get it reviewed'n landed tomorrow.
Flags: needinfo?(poirot.alex)
We are now ready to flip to safe default, only UITest app is going to be broken.
But it is only used for manual testing and will hopefully be fixed easily thanks to bug 801783.

But I had a relevant comment from James, why is document.write allowed ?
It doesn't seem to be blocked by CSP.
Keywords: checkin-needed
(In reply to Alexandre Poirot (:ochameau) from comment #10)
> We are now ready to flip to safe default, only UITest app is going to be
> broken.
> But it is only used for manual testing and will hopefully be fixed easily
> thanks to bug 801783.
> 
> But I had a relevant comment from James, why is document.write allowed ?
> It doesn't seem to be blocked by CSP.

I discussed this with Sid, our understanding is that document.write is not intended to be blocked by CSP, but the things it might inject e.g. inline scripts should be blocked (assuming the policy hasn't opted in to unsafe-inline for scripts, of course).
This was backed out while investigating some other bustage that landed in the same push.

Re-landed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/374ff1d28158
https://hg.mozilla.org/mozilla-central/rev/374ff1d28158
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Blocks: 817563
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: