Closed Bug 1472661 Opened 6 years ago Closed 6 years ago

Enable and ship CSP Policy violation events

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
relnote-firefox --- -
firefox63 --- fixed

People

(Reporter: ckerschb, Assigned: baku)

References

(Blocks 3 open bugs)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1] [domsecurity-active] ) 

Withing Bug 1037335 we implemented most of CSP policy violation events but there are a few dependencies that need to clear before we can ship violation events by default. In particular:
* Bug 1418236
* Bug 1418241
* Bug 1418246
* (maybe even others)

Currently CSP policy violation events are enabled it Nightly builds (security.csp.enable_violation_events) but obviously it would be great if we can clear those dependencies and ship violation events by default!
Depends on: 1037335
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
No longer depends on: 1037335
Depends on: 1473218
Depends on: 1472927
Depends on: 1473587
Assignee: nobody → amarchesini
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/020317ed6cb8
Enable and ship CSP Policy violation events, r=ckerschb
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1] [domsecurity-active]
Would be nice to have this in the release-note. Let's mark this bug as relnote-firefox
relnote-firefox: --- → ?
Whiteboard: [domsecurity-backlog1] [domsecurity-active] → [domsecurity-backlog1] [domsecurity-active]
https://hg.mozilla.org/mozilla-central/rev/020317ed6cb8
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
(In reply to Andrea Marchesini [:baku] from comment #3)
> Would be nice to have this in the release-note. Let's mark this bug as
> relnote-firefox

Andrea, could you provide the release note text and answer the release notes questions to help us understand what this means to the end-user? 
Thanks

Release Note Request (optional, but appreciated)
[Why is this notable]:
[Affects Firefox for Android]:
[Suggested wording]:
[Links (documentation, blog post, etc)]:
Flags: needinfo?(amarchesini)
[Why is this notable]: From the spec: "When one or more of a policy’s directives is violated, a violation report may be generated and sent out to a reporting endpoint associated with the policy." This is important feature for developers. Plus, introducing this feature, Firefox is more compliant with CSP3 spec.
[Affects Firefox for Android]: supported
[Links (documentation, blog post, etc)]: https://www.w3.org/TR/CSP3/#securitypolicyviolationevent
Flags: needinfo?(amarchesini)
(In reply to Andrea Marchesini [:baku] from comment #6)
> [Why is this notable]: From the spec: "When one or more of a policy’s
> directives is violated, a violation report may be generated and sent out to
> a reporting endpoint associated with the policy." This is important feature
> for developers. Plus, introducing this feature, Firefox is more compliant
> with CSP3 spec.
> [Affects Firefox for Android]: supported
> [Links (documentation, blog post, etc)]:
> https://www.w3.org/TR/CSP3/#securitypolicyviolationevent

Same question as in  https://bugzilla.mozilla.org/show_bug.cgi?id=1470111#c6 :)

Thanks!
Flags: needinfo?(amarchesini)
> Same question as in  https://bugzilla.mozilla.org/show_bug.cgi?id=1470111#c6

I guess, same answer :) But this an API! We can add this in the 'new APIs' section.
Flags: needinfo?(amarchesini)
Removing the relnote request as this will go on the MDN release page.
relnote-firefox: ?-
You need to log in before you can comment on or make changes to this bug.