SecurityEngineering/CSP Radar: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "= CSP: the Future™ = * 1.0 support is in Fx23 which will go to Beta quite soon. * dependencies for https://bugzilla.mozilla.org/show_bug.cgi?id=663566 = Bugs = * P0 - (CSP ...")
 
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= CSP: the Future™ =
= CSP: the Future™ =
* 1.0 support is in Fx23 which will go to Beta quite soon.
* 1.0 support is in Fx23 which will go to Release on August 6, 2013
* dependencies for https://bugzilla.mozilla.org/show_bug.cgi?id=663566
* bugs that affect CSP 1.0 support should be dependencies for https://bugzilla.mozilla.org/show_bug.cgi?id=663566
 
= Bugs =  
= Bugs =  
* P0 - (CSP 1.0) update docs (q3 goal) - https://bugzilla.mozilla.org/show_bug.cgi?id=837682 (assign=imelven)
* P0 - CSP 1.0 turned on for Firefox OS - https://bugzilla.mozilla.org/show_bug.cgi?id=858787 (assign=grobinson)
* P0 - CSP 1.0 turned on for Firefox OS - need to do try run and see if there's work to do here - https://bugzilla.mozilla.org/show_bug.cgi?id=858787 (assign=grobinson)
** grobinson has spent some time on this and discovered some other blocking bugs that he has fixed or is fixing
* P1 CSP 1.0 policy without default-src should assume 'default-src *' (bug 764937 and 780978 [remove makeExplicit]) - almost ready to land (assign=sid)
* P1 (CSP 1.0) A policy of like script-src 'self' 'unsafe-inline'; allows eval but should not https://bugzilla.mozilla.org/show_bug.cgi?id=882060 (assign=sid)
* P1 CSP 1.0 turned on for Fennec - this is just flipping the switch, but needs a try run - https://bugzilla.mozilla.org/show_bug.cgi?id=858780 (assign=grobinson)
* P1 - (CSP 1.0) CSP should not block inline scripts or eval unless script-src or default-src are included -  https://bugzilla.mozilla.org/show_bug.cgi?id=885433 (assign=grobinson)
* P1 (CSP 1.0) A policy of like script-src 'self' 'unsafe-inline'; allows eval but should not         https://bugzilla.mozilla.org/show_bug.cgi?id=882060 (assign=sid)
* P1 - (CSP 1.0) CSP should not block inline scripts or evail unless script-src or default-src are included -  https://bugzilla.mozilla.org/show_bug.cgi?id=885433 (assign=grobinson)
* P2 - (CSP 1.0) report destination loosening - https://bugzilla.mozilla.org/show_bug.cgi?id=843311 - helps adoption but isn't crucial  
* P2 - (CSP 1.0) report destination loosening - https://bugzilla.mozilla.org/show_bug.cgi?id=843311 - helps adoption but isn't crucial  
* P2 - (CSP 1.0) EventSource needs to be restricted using connect-src directive https://bugzilla.mozilla.org/show_bug.cgi?id=802872
* P2 - (CSP 1.0) EventSource needs to be restricted using connect-src directive https://bugzilla.mozilla.org/show_bug.cgi?id=802872
** needs to be tested to make sure it isn't already
* P2 -  (CSP 1.0) Verify that content added by XSLT stylesheet is subject to document's CSP -  https://bugzilla.mozilla.org/show_bug.cgi?id=663567
* P2 -  (CSP 1.0) Verify that content added by XSLT stylesheet is subject to document's CSP -  https://bugzilla.mozilla.org/show_bug.cgi?id=663567
** needs someone to test it
* P2 - redirects / nsIContentPolicy - test cases involving redirects fail for some reason
* P2 - redirects / nsIContentPolicy - test cases involving redirects fail for some reason
* P2 - (CSP 1.1) - script-nonce (helps with adoption) - land behind a pref ?  
* P2 - (CSP 1.1) - script-nonce (helps with adoption) - land behind a pref, grobinson has written a patch for this 
* P2 - improve error messages/logging - https://bugzilla.mozilla.org/show_bug.cgi?id=607067 https://bugzilla.mozilla.org/show_bug.cgi?id=792161
* P3 (spec unclear?) Content Security Policy (CSP) blocks SVG embedded as data URI in CSS url() (affects b2g) https://bugzilla.mozilla.org/show_bug.cgi?id=878608
* P3 (spec unclear?) Content Security Policy (CSP) blocks SVG embedded as data URI in CSS url() (affects b2g) https://bugzilla.mozilla.org/show_bug.cgi?id=878608
* P3 - fix bookmarklets to work with CSP - https://bugzilla.mozilla.org/show_bug.cgi?id=866522
* P3 - (CSP 1.1) https://bugzilla.mozilla.org/show_bug.cgi?id=826805 - allow HTTPS content when an http source is present (in 1.1 spec)  
* P3 - (CSP 1.1) https://bugzilla.mozilla.org/show_bug.cgi?id=826805 - allow HTTPS content when an http source is present (in 1.1 spec)  
* P3 - (CSP 1.1) meta support - many issues to resolve
* P3 - (CSP 1.1) meta support - many issues to resolve - https://bugzilla.mozilla.org/show_bug.cgi?id=663570
* P3 - (CSP 1.1) paths
* P3 - (CSP 1.1) paths - https://bugzilla.mozilla.org/show_bug.cgi?id=808292
* P3 - C++ rewrite
* P3 - C++ rewrite
* P3 - sandbox (depends on iframe sandbox work that isn't complete)
* P3 - sandbox (depends on iframe sandbox work that isn't complete (needs allow-popups, bug 785310) - https://bugzilla.mozilla.org/show_bug.cgi?id=671389
* P4 (not in spec) block CSSOM calls without style-src: unsafe-eval https://bugzilla.mozilla.org/show_bug.cgi?id=873302 - needs proposal and discussion on the WG list
* P4 (not in spec) block CSSOM calls without style-src: unsafe-eval https://bugzilla.mozilla.org/show_bug.cgi?id=873302 - needs proposal and discussion on the WG list
* P4 - (CSP 1.0) eval bypass using crypto.generateCRMFRequest https://bugzilla.mozilla.org/show_bug.cgi?id=824652 - can already run script in this case
* P4 - (CSP 1.0) eval bypass using crypto.generateCRMFRequest https://bugzilla.mozilla.org/show_bug.cgi?id=824652 - can already run script in this case
* P4 (spec under development still) - frame options https://bugzilla.mozilla.org/show_bug.cgi?id=846978 (have existing frame-ancestors, going to fix X-Frame-Options - https://bugzilla.mozilla.org/show_bug.cgi?id=725490)  
* P4 (spec under development still) - frame options https://bugzilla.mozilla.org/show_bug.cgi?id=846978 (have existing frame-ancestors, going to fix X-Frame-Options - https://bugzilla.mozilla.org/show_bug.cgi?id=725490)  
* P? - (non CSP spec) - script-hash ?  
* P? - (non CSP spec) - script-hash ?


= Issues =
= Things To Do ? =
* should inline scripts/eval be blocked if neither script-src or default-src are present ?
** this is so you can do e.g. csp sandbox or frame-options without blocking scripts
** adam's view is that if you don't opt into script restrictions by specifying default-src or script-src scripts shouldn't be blocked
** filed https://bugzilla.mozilla.org/show_bug.cgi?id=885433
* script-nonce / script-hash (CSP 1.1)
* script-nonce / script-hash (CSP 1.1)
* paths (CSP 1.1)
* paths (CSP 1.1)
Line 35: Line 34:
* anything else from CSP 1.1 or UI Safety specs ?  
* anything else from CSP 1.1 or UI Safety specs ?  
* frame-options (pretty much == frame-ancestors)
* frame-options (pretty much == frame-ancestors)
* redirects / general nsIContentPolicy issue ?
* redirects / general nsIContentPolicy issue ?


= ACTIONS =
= ACTIONS =
* figure out if W3C test suite failures are legit - file bugs for the failures that are  
* figure out if W3C test suite failures are legit - file bugs for the failures that are  
** Brad Hill test suite: http://webappsec-test.info/web-platform-tests/CSP/
** Brad Hill test suite: http://webappsec-test.info/web-platform-tests/CSP/
* needs confirmation - Bug in Content Security Policy for setInterval and setTimeout when argument is a function - https://bugzilla.mozilla.org/show_bug.cgi?id=699586
* needs confirmation - Verify that content added by XSLT stylesheet is subject to document's CSP - https://bugzilla.mozilla.org/show_bug.cgi?id=663567
* needs confirmation - Verify that content added by XSLT stylesheet is subject to document's CSP - https://bugzilla.mozilla.org/show_bug.cgi?id=663567
* needs confirmation - EventSource needs to be restricted using connect-src directive https://bugzilla.mozilla.org/show_bug.cgi?id=802872 - test to make sure it isn't already

Latest revision as of 01:30, 29 June 2013

CSP: the Future™

Bugs

Things To Do ?

  • script-nonce / script-hash (CSP 1.1)
  • paths (CSP 1.1)
  • sandbox (options 1.0, in csp1.1)
  • anything else from CSP 1.1 or UI Safety specs ?
  • frame-options (pretty much == frame-ancestors)
  • redirects / general nsIContentPolicy issue ?

ACTIONS

Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering/CSP_Radar&oldid=671496"