Closed
Bug 1302449
Opened 8 years ago
Closed 7 years ago
deprecating the "referrer" directive in CSP
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fixed |
People
(Reporter: kjozwiak, Assigned: baku)
References
(Blocks 2 open bugs)
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
|
(deleted),
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
The W3C has recently added tests [1] under the Web Platform Test Runner that checks and ensures that browsers are not using the CSP "referrer" directive to set a Referrer Policy which has been replaced by the Referrer-Policy header [2].
Chris, would removing the CSP "referrer" directive cause any compatibility issues? Is the directive still widely used in the web?
[1] https://w3c-test.org/referrer-policy/generic/unsupported-csp-referrer-directive.html
[2] https://github.com/w3c/web-platform-tests/pull/3416
|
Reporter | |
Updated•8 years ago
|
Flags: needinfo?(ckerschb)
|
||
Comment 1•8 years ago
|
||
Hey Kamil, I suppose the least we can do is a log a warning to the console that it's deprecated and also get some telemetry data (somewhere around here [1]). If not too many pages rely on it, I am fine with removing the code from CSP. But I suppose we should wait at least 2 cycles to give folks a chance to switch and use the Referrer-Policy header. Agreed?
[1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.cpp#867
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
|
|
Reporter | |
Comment 2•8 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1)
> Hey Kamil, I suppose the least we can do is a log a warning to the console
> that it's deprecated and also get some telemetry data (somewhere around here
> [1]). If not too many pages rely on it, I am fine with removing the code
> from CSP. But I suppose we should wait at least 2 cycles to give folks a
> chance to switch and use the Referrer-Policy header. Agreed?
>
> [1]
> https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPParser.
> cpp#867
Completely agreed :)
|
||
Updated•8 years ago
|
Keywords: dev-doc-needed
|
|
||
Comment 3•8 years ago
|
||
Looks like this is removed in Chrome 56 https://bugs.chromium.org/p/chromium/issues/detail?id=658761
|
||
Updated•8 years ago
|
Keywords: site-compat
|
Assignee | |
Comment 4•7 years ago
|
||
I'm not sure this is enough. ... and I still have to see how many WPTs are broken by this patch.
Assignee: nobody → amarchesini
Attachment #8973696 -
Flags: review?(ckerschb)
|
|
||
Comment 5•7 years ago
|
||
Comment on attachment 8973696 [details] [diff] [review]
csp_referrer.patch
Review of attachment 8973696 [details] [diff] [review]:
-----------------------------------------------------------------
that looks good to me, thanks and r=me!
Attachment #8973696 -
Flags: review?(ckerschb) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eeaae6812d82
Remove the "referrer" directive in CSP, r=ckerschb
|
|
||
Comment 7•7 years ago
|
||
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2018/csp-referrer-directive-has-been-removed/
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
||
Comment 9•7 years ago
|
||
| bugherder | ||
|
||
Updated•6 years ago
|
status-firefox51:
affected → ---
|
|
||
Comment 10•6 years ago
|
||
https://developer.mozilla.org/en-US/Firefox/Releases/62#HTTP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer
https://github.com/mdn/browser-compat-data/pull/2369
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•