858789 - CSP should use the spec compliant pref to determine what parser to use for apps

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Ian Melven :imelven]

In bug 746978, I made apps always use the 1.0 spec compliant CSP parser to process their default or manifest specified.

After discussing with Paul Theriault, we think we want to choose which parser to use based on the same pref that opts in to using the new parser for an unprefixed CSP header. I'll write the patch to do that.

Comment 1

[Ian Melven :imelven]

Attachment: patch v1

Comment 2

[Ian Melven :imelven]

I did a try push to check that the B2G mochitests pass with this patch and the other patches I would like to land to turn on CSP 1.0 for desktop Firefox. 

https://tbpl.mozilla.org/?tree=Try&rev=6cda7e50be0c&showall=1

There are existing mochitests that check that privileged/trusted apps have the correct default CSP applied to them and that apps that specify a CSP in their manifest work correctly. 

This patch makes sure the behavior of B2G doesn't change until it's explicitly decided to do so by landing bug 858787 and we're sure we've done the work to make it ok to do so wrt apps, mochitests, etc. by fixing that bug's blockers.

Comment 3

[Johnny Stenback (:jst)]

Comment on attachment 734866 [details] [diff] [review]
patch v1

Stealing review from Jonas here to offload him a bit. r=jst

Comment 4

[Ian Melven :imelven]

(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #3)
> Comment on attachment 734866 [details] [diff] [review]
> patch v1
> 
> Stealing review from Jonas here to offload him a bit. r=jst

Thank you Johnny !

Comment 5

[Ian Melven :imelven]

https://hg.mozilla.org/integration/mozilla-inbound/rev/0dd127fed18a

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/0dd127fed18a