References: FX Bug 842657 Flip the pref to enable the CSP 1.0 parser for Firefox. FXOS Bug 858787 Flip the pref to turn on the CSP 1.0 parser for Firefox OS http://en.wikipedia.org/wiki/Content_Security_Policy https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465#Background > Content Security Policy is intended to help web designers or server > administrators specify how content interacts on their web sites. It helps > mitigate and detect types of attacks such as XSS and data injection. CSP is not > intended to be a main line of defense, but rather one of the many layers of > security that can be employed to help secure a web site.
Created attachment 753708 [details] [diff] [review] Patch v1.0 Do it.
Comment on attachment 753708 [details] [diff] [review] Patch v1.0 Do it. >+++ b/suite/browser/browser-prefs.js >@@ -789,16 +789,18 @@ pref("breakpad.reportURL", "http://crash > // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror) > pref("security.alternate_certificate_error_page", "certerror"); > pref("security.warn_entering_secure", false); > pref("security.warn_leaving_secure", false); > pref("security.warn_submit_insecure", false); > pref("security.warn_viewing_mixed", true); > pref("security.warn_mixed_active_content", true); > pref("security.warn_mixed_display_content", false); >+// Turn on the CSP 1.0 parser for Content Security Policy headers >+pref("security.csp.speccompliant", true); > // Block insecure active content on https pages > pref("security.mixed_content.block_active_content", true); My preference would be to have the new pref here rather than where you have it. r=me with that fixed.
Pushed http://hg.mozilla.org/comm-central/rev/1bc26fe50696 >> // Block insecure active content on https pages >> pref("security.mixed_content.block_active_content", true); > My preference would be to have the new pref here rather than where you have it. Fixed on check-in.
Comment on attachment 753708 [details] [diff] [review] Patch v1.0 Do it. See Firefox Bug 842657 Comment 17 and Bug 842657 Comment 22 [Approval Request Comment] Bug caused by (feature/regressing bug #): New feature User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported. Testing completed (on m-c, etc.): This landed on m-c on 2013-05-17, seemingly without problems. Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems. String or IDL/UUID changes made by this patch: None
Pushed to comm-aurora: http://hg.mozilla.org/releases/comm-aurora/rev/22eb4f29fa78