Flip the pref to enable the Content Security Policy (CSP) 1.0 parser for SeaMonkey.

RESOLVED FIXED in seamonkey2.21

Status

SeaMonkey
Preferences
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Philip Chee, Assigned: Philip Chee)

Tracking

Trunk
seamonkey2.21

SeaMonkey Tracking Flags

(seamonkey2.20 fixed, seamonkey2.21 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
References:
  FX Bug 842657 Flip the pref to enable the CSP 1.0 parser for Firefox.
  FXOS Bug 858787 Flip the pref to turn on the CSP 1.0 parser for Firefox OS

http://en.wikipedia.org/wiki/Content_Security_Policy

https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465#Background

> Content Security Policy is intended to help web designers or server 
> administrators specify how content interacts on their web sites. It helps 
> mitigate and detect types of attacks such as XSS and data injection. CSP is not 
> intended to be a main line of defense, but rather one of the many layers of 
> security that can be employed to help secure a web site.
(Assignee)

Comment 1

4 years ago
Created attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.
Attachment #753708 - Flags: review?(iann_bugzilla)

Comment 2

4 years ago
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

>+++ b/suite/browser/browser-prefs.js
>@@ -789,16 +789,18 @@ pref("breakpad.reportURL", "http://crash
> // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror)
> pref("security.alternate_certificate_error_page", "certerror");
> pref("security.warn_entering_secure", false);
> pref("security.warn_leaving_secure", false);
> pref("security.warn_submit_insecure", false);
> pref("security.warn_viewing_mixed", true);
> pref("security.warn_mixed_active_content", true);
> pref("security.warn_mixed_display_content", false);
>+// Turn on the CSP 1.0 parser for Content Security Policy headers
>+pref("security.csp.speccompliant", true);
> // Block insecure active content on https pages
> pref("security.mixed_content.block_active_content", true);
My preference would be to have the new pref here rather than where you have it.
r=me with that fixed.
Attachment #753708 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 3

4 years ago
Pushed http://hg.mozilla.org/comm-central/rev/1bc26fe50696

>> // Block insecure active content on https pages
>> pref("security.mixed_content.block_active_content", true);
> My preference would be to have the new pref here rather than where you have it.
Fixed on check-in.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.21
(Assignee)

Comment 4

4 years ago
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

See Firefox Bug 842657 Comment 17 and Bug 842657 Comment 22

[Approval Request Comment]
Bug caused by (feature/regressing bug #): New feature
User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported.
Testing completed (on m-c, etc.): This landed on m-c on 2013-05-17, seemingly without problems.
Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems.
String or IDL/UUID changes made by this patch: None
Attachment #753708 - Flags: approval-comm-aurora?
(Assignee)

Updated

4 years ago
status-seamonkey2.20: --- → affected
status-seamonkey2.21: --- → fixed

Updated

4 years ago
Attachment #753708 - Flags: approval-comm-aurora? → approval-comm-aurora+
(Assignee)

Comment 5

4 years ago
Pushed to comm-aurora:
http://hg.mozilla.org/releases/comm-aurora/rev/22eb4f29fa78
status-seamonkey2.20: affected → fixed
You need to log in before you can comment on or make changes to this bug.