The default bug view has changed. See this FAQ.

Flip the pref to enable the Content Security Policy (CSP) 1.0 parser for SeaMonkey.

RESOLVED FIXED in seamonkey2.21

Status

SeaMonkey
Preferences
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Philip Chee, Assigned: Philip Chee)

Tracking

Trunk
seamonkey2.21

SeaMonkey Tracking Flags

(seamonkey2.20 fixed, seamonkey2.21 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
References:
  FX Bug 842657 Flip the pref to enable the CSP 1.0 parser for Firefox.
  FXOS Bug 858787 Flip the pref to turn on the CSP 1.0 parser for Firefox OS

http://en.wikipedia.org/wiki/Content_Security_Policy

https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465#Background

> Content Security Policy is intended to help web designers or server 
> administrators specify how content interacts on their web sites. It helps 
> mitigate and detect types of attacks such as XSS and data injection. CSP is not 
> intended to be a main line of defense, but rather one of the many layers of 
> security that can be employed to help secure a web site.
(Assignee)

Comment 1

4 years ago
Created attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.
Attachment #753708 - Flags: review?(iann_bugzilla)

Comment 2

4 years ago
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

>+++ b/suite/browser/browser-prefs.js
>@@ -789,16 +789,18 @@ pref("breakpad.reportURL", "http://crash
> // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror)
> pref("security.alternate_certificate_error_page", "certerror");
> pref("security.warn_entering_secure", false);
> pref("security.warn_leaving_secure", false);
> pref("security.warn_submit_insecure", false);
> pref("security.warn_viewing_mixed", true);
> pref("security.warn_mixed_active_content", true);
> pref("security.warn_mixed_display_content", false);
>+// Turn on the CSP 1.0 parser for Content Security Policy headers
>+pref("security.csp.speccompliant", true);
> // Block insecure active content on https pages
> pref("security.mixed_content.block_active_content", true);
My preference would be to have the new pref here rather than where you have it.
r=me with that fixed.
Attachment #753708 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 3

4 years ago
Pushed http://hg.mozilla.org/comm-central/rev/1bc26fe50696

>> // Block insecure active content on https pages
>> pref("security.mixed_content.block_active_content", true);
> My preference would be to have the new pref here rather than where you have it.
Fixed on check-in.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.21
(Assignee)

Comment 4

4 years ago
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

See Firefox Bug 842657 Comment 17 and Bug 842657 Comment 22

[Approval Request Comment]
Bug caused by (feature/regressing bug #): New feature
User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported.
Testing completed (on m-c, etc.): This landed on m-c on 2013-05-17, seemingly without problems.
Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems.
String or IDL/UUID changes made by this patch: None
Attachment #753708 - Flags: approval-comm-aurora?
(Assignee)

Updated

4 years ago
status-seamonkey2.20: --- → affected
status-seamonkey2.21: --- → fixed

Updated

4 years ago
Attachment #753708 - Flags: approval-comm-aurora? → approval-comm-aurora+
(Assignee)

Comment 5

4 years ago
Pushed to comm-aurora:
http://hg.mozilla.org/releases/comm-aurora/rev/22eb4f29fa78
status-seamonkey2.20: affected → fixed
You need to log in before you can comment on or make changes to this bug.