MozillaWiki

SecurityEngineering/CSP Radar: Difference between revisions

Page Discussion

SecurityEngineering/CSP Radar (view source)

Revision as of 01:28, 29 June 2013

251 bytes removed ,  29 June 2013
→‎Bugs
Line 4: Line 4:


= Bugs =  
= Bugs =  
* P0 - (CSP 1.0) update docs (q3 goal) - https://bugzilla.mozilla.org/show_bug.cgi?id=837682 (assign=imelven)
* P0 - CSP 1.0 turned on for Firefox OS - https://bugzilla.mozilla.org/show_bug.cgi?id=858787 (assign=grobinson)
* P0 - CSP 1.0 turned on for Firefox OS - need to do try run and see if there's work to do here - https://bugzilla.mozilla.org/show_bug.cgi?id=858787 (assign=grobinson)
** grobinson has spent some time on this and discovered some other blocking bugs that he has fixed or is fixing
* P1 CSP 1.0 policy without default-src should assume 'default-src *' (bug 764937 and 780978 [remove makeExplicit]) - almost ready to land (assign=sid)
* P1 CSP 1.0 turned on for Fennec - this is just flipping the switch, but needs a try run - https://bugzilla.mozilla.org/show_bug.cgi?id=858780 (assign=grobinson)
* P1 (CSP 1.0) A policy of like script-src 'self' 'unsafe-inline'; allows eval but should not https://bugzilla.mozilla.org/show_bug.cgi?id=882060 (assign=sid)
* P1 (CSP 1.0) A policy of like script-src 'self' 'unsafe-inline'; allows eval but should not https://bugzilla.mozilla.org/show_bug.cgi?id=882060 (assign=sid)
* P1 - (CSP 1.0) CSP should not block inline scripts or evail unless script-src or default-src are included -  https://bugzilla.mozilla.org/show_bug.cgi?id=885433 (assign=grobinson)
* P1 - (CSP 1.0) CSP should not block inline scripts or eval unless script-src or default-src are included -  https://bugzilla.mozilla.org/show_bug.cgi?id=885433 (assign=grobinson)
* P2 - (CSP 1.0) report destination loosening - https://bugzilla.mozilla.org/show_bug.cgi?id=843311 - helps adoption but isn't crucial  
* P2 - (CSP 1.0) report destination loosening - https://bugzilla.mozilla.org/show_bug.cgi?id=843311 - helps adoption but isn't crucial  
* P2 - (CSP 1.0) EventSource needs to be restricted using connect-src directive https://bugzilla.mozilla.org/show_bug.cgi?id=802872
* P2 - (CSP 1.0) EventSource needs to be restricted using connect-src directive https://bugzilla.mozilla.org/show_bug.cgi?id=802872
** needs to be tested to make sure it isn't already
* P2 -  (CSP 1.0) Verify that content added by XSLT stylesheet is subject to document's CSP -  https://bugzilla.mozilla.org/show_bug.cgi?id=663567
* P2 -  (CSP 1.0) Verify that content added by XSLT stylesheet is subject to document's CSP -  https://bugzilla.mozilla.org/show_bug.cgi?id=663567
** needs someone to test it
* P2 - redirects / nsIContentPolicy - test cases involving redirects fail for some reason
* P2 - redirects / nsIContentPolicy - test cases involving redirects fail for some reason
* P2 - (CSP 1.1) - script-nonce (helps with adoption) - land behind a pref ?
* P2 - (CSP 1.1) - script-nonce (helps with adoption) - land behind a pref, grobinson has written a patch for this 
* P2 - improve error messages/logging - https://bugzilla.mozilla.org/show_bug.cgi?id=607067 https://bugzilla.mozilla.org/show_bug.cgi?id=792161
* P2 - improve error messages/logging - https://bugzilla.mozilla.org/show_bug.cgi?id=607067 https://bugzilla.mozilla.org/show_bug.cgi?id=792161
* P3 (spec unclear?) Content Security Policy (CSP) blocks SVG embedded as data URI in CSS url() (affects b2g) https://bugzilla.mozilla.org/show_bug.cgi?id=878608
* P3 (spec unclear?) Content Security Policy (CSP) blocks SVG embedded as data URI in CSS url() (affects b2g) https://bugzilla.mozilla.org/show_bug.cgi?id=878608
Imelven
Confirmed users
197

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/671493"