Closed Bug 842657 Opened 11 years ago Closed 11 years ago

Flip the pref to enable the CSP 1.0 parser for Firefox

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 24
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 + verified
firefox24 + verified

People

(Reporter: imelven, Assigned: imelven)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

patch v1
5.69 KB, patch
jst
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
We have a CSP implementation that complies with the CSP 1.0 spec.

It's behind a pref currently that is only turned on during mochitests.

When the last piece of the CSP 1.0 work (bug 763879) lands (there is an r+ patch currently), we want to flip this pref in Nightly and start honoring unprefixed Content-Security-Policy headers (as described in bug 783049)
Assignee: nobody → imelven
Blocks: csp-w3c-1.0
Status: NEW → ASSIGNED
Attached patch patch v1Splinter Review 

    
    

    
  
Comment on attachment 716254 [details] [diff] [review]
patch v1

Our plan is to flip this pref on Nightly when we land 763879. This will turn on using the new, CSP 1.0 spec compliant parser for CSP's delivered via the unprefixed Content-Security-Policy header. Bug 783049 contains further details of how we handle getting both the prefixed X- header and the unprefixed header, but tl;dr we ignore the prefixed header in that case and log a warning.

        Attachment #716254 -
        Flags: review?(gavin.sharp)

    
    

    
  
Last try push ran into a problem with 763879, which I have now hopefully fixed.

https://tbpl.mozilla.org/?tree=Try&rev=67641f5d771f

    
    

    
  
I don't have nearly enough context here to usefully review this.

Is this really a Firefox-specific pref, or should it live in all.js instead?

Who else is familiar with this work and can sign off on it being enabled by default?

    
    

    
  
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #5)
> I don't have nearly enough context here to usefully review this.

Fair enough.
 
> Is this really a Firefox-specific pref, or should it live in all.js instead?

For now, I think we just want it turned on in Firefox Desktop. The situation in B2G is a little more complex and I want to talk to a couple of folks over there to see what they'd like to do (it also would require some more code changes to get apps to use the new parser) and when it makes sense in their schedule to do it.

> Who else is familiar with this work and can sign off on it being enabled by
> default?

Sid Stamm is the closest to the work IMO - would it be ok for him to r? it ?

    
    

    
  
Comment on attachment 716254 [details] [diff] [review]
patch v1

Sid and I ambushed jst and asked him if he could maybe take a look at this ;)

        Attachment #716254 -
        Flags: review?(gavin.sharp) → review?(jst)

    
  
Depends on: 746978, 763879, 783049

    
    

    
  
Comment on attachment 716254 [details] [diff] [review]
patch v1

Sorry for the delay here, r=jst

        Attachment #716254 -
        Flags: review?(jst) → review+

    
    

    
  
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #8)
> Comment on attachment 716254 [details] [diff] [review]
> patch v1
> 
> Sorry for the delay here, r=jst

No problem, I've been slowly figuring out what the right thing is to do for bug 763879 is in the meantime - thanks for the r+ :)

    
  
Blocks: CSP

    
    

    
  
I thought this was ready to go but the r+ for 763879 changed to an r-, see
https://bugzilla.mozilla.org/show_bug.cgi?id=763879#c123

I landed this in inbound as https://hg.mozilla.org/integration/mozilla-inbound/rev/254c1ac4ab8b but we are going to back it out.

    
  
Assignee: imelven → nobody
Status: ASSIGNED → NEW

    
    

    
  
(In reply to Ian Melven :imelven from comment #10)
> I landed this in inbound as
> https://hg.mozilla.org/integration/mozilla-inbound/rev/254c1ac4ab8b but we
> are going to back it out.

hg export -r 254c1ac4ab8b > ian-flip.patch
hg import ian-flip.patch
hg push -r . m-i

https://hg.mozilla.org/integration/mozilla-inbound/rev/6b181afc9fad
Assignee: nobody → imelven
Target Milestone: --- → Firefox 24

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6b181afc9fad
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
Do we want to consider an uplift here?  What is the risk involved?

          status-firefox22:
          --- → unaffected

          status-firefox23:
          --- → affected

          status-firefox24:
          --- → fixed

          tracking-firefox23:
          --- → +

          tracking-firefox24:
          --- → +

    
    

    
  
Uplifting this would depend on also uplifting bug 763879 which adds inline style blocking to our CSP implementation.

What risk is involved is a good question. We have tests that the old, prefixed header supported in Fx 23 and earlier will still be handled as it always was. We also have tests to check that when both headers are sent, the new, unprefixed header is preferred. In general, I'd say the biggest risk is probably that of confusing people who don't expect Firefox to handle the unprefixed header. Freddy Braun and I are both working on blog posts to let people know about CSP 1.0 landing and what it means, and I'm going to be reaching out to the documentation folks as well to get MDN updated with the current state of things. Given that we just moved 23 to Aurora, I think we still would have enough time to get the word out before this hits Beta/Release (and even then, I think the risk of unexpected breakage is pretty low, since Chrome has been honoring the unprefixed header since Chrome 25, which was released in February.)

I've asked Sid for his thoughts as well :)

    
    

    
  
from comment 15 and conversation in IRC the best option here is to wait until 24 and ride the trains, get more time to do outreach & awareness building, untracking for 23 given that.

          status-firefox23:
          affectedwontfix

          tracking-firefox23:
          +-

    
    

    
  
I'd like to appeal the wontfix for Fx23 and ask that we reconsider uplifting.

There are so few sites on the internet using this feature (waiting for our implementation to match Chrome's) that we won't get any real usage testing without a beta-sized audience. Waiting another cycle for more Aurora testing won't help much.

Lengthy outreach is not urgent because we will continue to support the old headers so we don't need to convince people to change. In convincing people to switch we also have Google evangelizing the 1.0-compliant headers, and they've been doing that for a while now.

The risk is relatively low, because worst comes to worst we just flip the pref. No need for a scary detangling and backout. We could even flip the pref with the hotfix addon if necessary, but since there are so few sites using this feature it's hard to imagine needing it.

          status-firefox23:
          wontfix → ---

          tracking-firefox23:
          -?

    
    

    
  
Dan makes persuasive arguments, should we discover fallout we can hotfix this pref back to disabled - can we get this nominated & uplifted sooner rather than later to get the most bake time in Aurora/Beta?

          status-firefox23:
          --- → affected

          tracking-firefox23:
          ?+
Flags: needinfo?(imelven)

    
    

    
  
Dan, are you willing to spend the time rebasing the patch from bug 763879 and uplifting it?
Flags: needinfo?(dveditz)

    
    

    
  
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #19)
> Dan, are you willing to spend the time rebasing the patch from bug 763879
> and uplifting it?

Assuming there is not anything non-obviousl, then the merge took less than a minute:

hg graft 9eb574cd8faf
<fix a merge conflict in a single file>
hg graft 6b181afc9fad

https://tbpl.mozilla.org/?tree=Try&rev=23055644a92c
Flags: needinfo?(dveditz)

    
    

    
  
(In reply to Brian Smith (:bsmith) from comment #20)
> (In reply to Sid Stamm [:geekboy or :sstamm] from comment #19)
> > Dan, are you willing to spend the time rebasing the patch from bug 763879
> > and uplifting it?
> 
> Assuming there is not anything non-obviousl, then the merge took less than a
> minute:
> 
> hg graft 9eb574cd8faf
> <fix a merge conflict in a single file>
> hg graft 6b181afc9fad
> 
> https://tbpl.mozilla.org/?tree=Try&rev=23055644a92c

Seems I guessed wrong on that merge. Let's try again:
https://tbpl.mozilla.org/?tree=Try&rev=eeddd214c0f7

    
    

    
  
Comment on attachment 716254 [details] [diff] [review]
patch v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): New feature
User impact if declined: CSP 1.0 policies with the standard syntax/semantics are will not be supported.
Testing completed (on m-c, etc.): This landed on m-c a week ago, seemingly without problems.
Risk to taking this patch (and alternatives if risky): Other people should comment on the risk as far as coding change risk is concerned. There is some compatibility risk for a small number of websites that are using CSP 1.0. However, it will be easy to revert this change if we run into problems.
String or IDL/UUID changes made by this patch: None

        Attachment #716254 -
        Flags: approval-mozilla-aurora?

    
    

    
  
(In reply to Brian Smith (:bsmith) from comment #22)
> Comment on attachment 716254 [details] [diff] [review]
> patch v1
> 
> Risk to taking this patch (and alternatives if risky): Other people should
> comment on the risk as far as coding change risk is concerned. There is some
> compatibility risk for a small number of websites that are using CSP 1.0.
> However, it will be easy to revert this change if we run into problems.

I think Dan makes some very good points in comment 17.

The only real risk should be for sites using CSP 1.0 headers, as Brian said above. We even have data on how few sites are using these headers so far : 6 of the top Alexa 1 million - source : http://www.veracode.com/blog/2013/03/security-headers-on-the-top-1000000-websites-march-2013-report/

Also, I'll again mention there's a fair amount of tests around these changes as well, see my comment 15
Flags: needinfo?(imelven)

    
    

    
  
Comment on attachment 716254 [details] [diff] [review]
patch v1

I'm OK with that risk since the payoff as Dan describes it sounds worthwhile. Approving for Aurora.

        Attachment #716254 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
CSP 1.0 support is a good candidate for a release note IMO. I'm going to push out a blog post about it very soon as well.

    
    

    
  
Verified security.csp.speccompliant=true by default in FF 23b10.

          status-firefox23:
          fixedverified

    
    

    
  
(In reply to Paul Silaghi [QA] from comment #27)
> Verified security.csp.speccompliant=true by default in FF 23b10.
Verified FF 24b4
Status: RESOLVED → VERIFIED

          status-firefox24:
          fixedverified

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: