Last Comment Bug 875706 - Flip the pref to enable the Content Security Policy (CSP) 1.0 parser for SeaMonkey.
: Flip the pref to enable the Content Security Policy (CSP) 1.0 parser for SeaM...
Status: RESOLVED FIXED
:
Product: SeaMonkey
Classification: Client Software
Component: Preferences (show other bugs)
: Trunk
: All All
: -- normal (vote)
: seamonkey2.21
Assigned To: Philip Chee
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-24 02:51 PDT by Philip Chee
Modified: 2013-06-01 09:44 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
fixed
fixed


Attachments
Patch v1.0 Do it. (1.34 KB, patch)
2013-05-24 02:55 PDT, Philip Chee
iann_bugzilla: review+
iann_bugzilla: approval‑comm‑aurora+
Details | Diff | Splinter Review

Description Philip Chee 2013-05-24 02:51:52 PDT
References:
  FX Bug 842657 Flip the pref to enable the CSP 1.0 parser for Firefox.
  FXOS Bug 858787 Flip the pref to turn on the CSP 1.0 parser for Firefox OS

http://en.wikipedia.org/wiki/Content_Security_Policy

https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465#Background

> Content Security Policy is intended to help web designers or server 
> administrators specify how content interacts on their web sites. It helps 
> mitigate and detect types of attacks such as XSS and data injection. CSP is not 
> intended to be a main line of defense, but rather one of the many layers of 
> security that can be employed to help secure a web site.
Comment 1 Philip Chee 2013-05-24 02:55:53 PDT
Created attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.
Comment 2 Ian Neal 2013-05-26 09:09:35 PDT
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

>+++ b/suite/browser/browser-prefs.js
>@@ -789,16 +789,18 @@ pref("breakpad.reportURL", "http://crash
> // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror)
> pref("security.alternate_certificate_error_page", "certerror");
> pref("security.warn_entering_secure", false);
> pref("security.warn_leaving_secure", false);
> pref("security.warn_submit_insecure", false);
> pref("security.warn_viewing_mixed", true);
> pref("security.warn_mixed_active_content", true);
> pref("security.warn_mixed_display_content", false);
>+// Turn on the CSP 1.0 parser for Content Security Policy headers
>+pref("security.csp.speccompliant", true);
> // Block insecure active content on https pages
> pref("security.mixed_content.block_active_content", true);
My preference would be to have the new pref here rather than where you have it.
r=me with that fixed.
Comment 3 Philip Chee 2013-05-31 12:40:06 PDT
Pushed http://hg.mozilla.org/comm-central/rev/1bc26fe50696

>> // Block insecure active content on https pages
>> pref("security.mixed_content.block_active_content", true);
> My preference would be to have the new pref here rather than where you have it.
Fixed on check-in.
Comment 4 Philip Chee 2013-05-31 12:48:11 PDT
Comment on attachment 753708 [details] [diff] [review]
Patch v1.0 Do it.

See Firefox Bug 842657 Comment 17 and Bug 842657 Comment 22

[Approval Request Comment]
Bug caused by (feature/regressing bug #): New feature
User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported.
Testing completed (on m-c, etc.): This landed on m-c on 2013-05-17, seemingly without problems.
Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems.
String or IDL/UUID changes made by this patch: None
Comment 5 Philip Chee 2013-06-01 09:44:51 PDT
Pushed to comm-aurora:
http://hg.mozilla.org/releases/comm-aurora/rev/22eb4f29fa78

Note You need to log in before you can comment on or make changes to this bug.