Closed
Bug 842557
Opened 12 years ago
Closed 12 years ago
Update django-csp on Firefox Flicks
Categories
(Websites :: Firefox Flicks, defect)
Websites
Firefox Flicks
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: freddy, Unassigned)
References
Details
the deployed version seems to have an outdated version of django-csp, which still sends the "allow" header instead of "default-src". The Firefox developer console also mentions this as deprecated.
The most current django-csp version appears to have fixed that.
|
||
Comment 1•12 years ago
|
||
I'll have to look at it again to recall the specifics, but the problem with using the current django-csp IIRC is that it uses the X-Content-Security-Policy header but uses the current specification, which causes issues in Firefox when trying to allow inline JS, which we do for Google Analytics.
CC'ing jsocol to correct me if I'm wrong, otherwise this bug will involve fixing django-csp if needed.
|
||
Comment 2•12 years ago
|
||
If you're using unsafe-inline and CSP you're losing almost all the benefit of CSP in the first place. If you only need it for Google Analytics, you should externalize the GA code.
That said, :mkelly is right, there's a mismatch in django-csp right now because the spec has been so fluxy. It needs to send up to 3 headers, X-Content-Security-Policy, X-WebKit-CSP (thanks, Webama), and Content-Security-Policy. And all of those have *slightly* different syntax. WOO.
|
Reporter | |
Comment 3•12 years ago
|
||
Good point. I filed bug 842564 about the actual policy content, CCing you on that.
|
||
Comment 4•12 years ago
|
||
Commit pushed to master at https://github.com/mozilla/firefox-flicks
https://github.com/mozilla/firefox-flicks/commit/12dd259c38b93568aa792bb21c850dfab39b522f
Fix bug 842557 and bug 842564: Cull CSP and move GA to external JS file.
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•