Intent to Deprecate and Unship: prefixed Content Security Policy headers.
Mike West
Primary eng (and PM) emails
mk...@chromium.orgSpec
Summary
Blink has solid support for CSP 1.0 through the unprefixed 'Content-Security-Policy*' headers. I'd like to formally deprecate the prefixed 'X-WebKit-CSP*' headers.
Motivation
We're starting to see some large-scale implementations of CSP that are serving the prefixed header (Facebook and GitHub, for instance). In order to ensure that this prefixed header doesn't inadvertently become a de facto standard, we should deprecate the prefixed headers quickly.
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
OWP launch tracking bug?
Row on feature dashboard?
Yup.
Requesting simultaneous permission to unship?
Alex Komoroske
Primary eng (and PM) emails
mk...@chromium.orgSpec
Summary
Blink has solid support for CSP 1.0 through the unprefixed 'Content-Security-Policy*' headers. I'd like to formally deprecate the prefixed 'X-WebKit-CSP*' headers.
Motivation
We're starting to see some large-scale implementations of CSP that are serving the prefixed header (Facebook and GitHub, for instance). In order to ensure that this prefixed header doesn't inadvertently become a de facto standard, we should deprecate the prefixed headers quickly.
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
Mike West
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?
Who else ships the unprefixed version?
Do we have a sense of how many sites use the prefixed version and not the unprefixed version?
What will happen on sites that send the prefixed but not the unprefixed version if we deprecate?
Masataka Yakura
On Wednesday, April 17, 2013 12:20:08 AM UTC+9, Mike West wrote:
Hi Alex!On Tue, Apr 16, 2013 at 5:10 PM, Alex Komoroske <komo...@chromium.org> wrote:
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?Since Chrome 14 or so, in various stages of completeness.Who else ships the unprefixed version?Everyone else who uses WebKit/Blink. Safari 6, for example.Safari 5.x and Android's "Browser" ship the prefixed header as well, but they're unfortunately buggy enough to be fairly unusable.Firefox ships a differently prefixed version (`X-Content-Security-Policy`), and should be rolling out the cannonical header soon(ish).
Mike West
On Wednesday, April 17, 2013 12:20:08 AM UTC+9, Mike West wrote:
Hi Alex!On Tue, Apr 16, 2013 at 5:10 PM, Alex Komoroske <komo...@chromium.org> wrote:
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?Since Chrome 14 or so, in various stages of completeness.Who else ships the unprefixed version?Everyone else who uses WebKit/Blink. Safari 6, for example.Safari 5.x and Android's "Browser" ship the prefixed header as well, but they're unfortunately buggy enough to be fairly unusable.Firefox ships a differently prefixed version (`X-Content-Security-Policy`), and should be rolling out the cannonical header soon(ish).Fx21 (coming in May) will have the canonical header.(They still have a few bugs for full support of CSP 1.0 http://bugzil.la/837682 )
I think IE10 has partial support for CSP under the X-Content-Security-Policy header.
Masataka Yakura
On Wednesday, April 17, 2013 12:48:50 AM UTC+9, Mike West wrote:
Hi Masataka-san!On Tue, Apr 16, 2013 at 5:39 PM, Masataka Yakura <myaku...@gmail.com> wrote:
On Wednesday, April 17, 2013 12:20:08 AM UTC+9, Mike West wrote:
Hi Alex!On Tue, Apr 16, 2013 at 5:10 PM, Alex Komoroske <komo...@chromium.org> wrote:
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?Since Chrome 14 or so, in various stages of completeness.Who else ships the unprefixed version?Everyone else who uses WebKit/Blink. Safari 6, for example.Safari 5.x and Android's "Browser" ship the prefixed header as well, but they're unfortunately buggy enough to be fairly unusable.Firefox ships a differently prefixed version (`X-Content-Security-Policy`), and should be rolling out the cannonical header soon(ish).Fx21 (coming in May) will have the canonical header.(They still have a few bugs for full support of CSP 1.0 http://bugzil.la/837682 )+Ian Melvin, who's working on this in Mozilla.According to https://bugzilla.mozilla.org/show_bug.cgi?id=783049#c51 it'll be behind a flag in Firefox 21. I'm not entirely sure which of those is more current. (Hi Ian!)
Ian Melven
>> +Ian Melvin, who's working on this in Mozilla.
>> According to https://bugzilla.mozilla.org/show_bug.cgi?id=783049#c51 it'll be behind a flag in Firefox 21. I'm not entirely sure which of those is more current. (Hi Ian!)
> Oh.
> You're right. https://bugzilla.mozilla.org/show_bug.cgi?id=746978#c80 says so too and I don't see the security.csp.speccompliant flag in about:config on my Fx21 beta. My bad.
right now i'm waiting on reviews for https://bugzilla.mozilla.org/show_bug.cgi?id=763879 and after that
we should be able to flip the pref and turn on the unprefixed header for desktop Firefox at least.
we have plans to deprecate the X- header as well in the future, but no set timeline currently.
thanks,
ian
Adam Barth
conca...@gmail.com
Adam Barth
Doesn't dropping support open sites using it to security risks.
I have no problem with warnings but I would expect at least a year before dropping support. Not everyone operates on Chromes release model.
John Lenz
Oh please. If there were such rules of the road you would start with deprecation warnings and dates. Or always have them behind flags. But the truth is you need folks to use them but you are willing to throw them under the bus for some Web standard ideal and an artificial deadline. I know I won't win an argument with someone with this mindset as we have differing views on what is owed to Web content developers.
I do recommend that you start warning on all vendor prefixes with removal dates (a year off) even if you extend them to allow standards bodies the decades (it seems) to agree on the obviously needed features that force people to use them. Then I couldn't argue that folks don't know what they are getting into.
Adam Barth
Oh please. If there were such rules of the road you would start with deprecation warnings and dates. Or always have them behind flags.
But the truth is you need folks to use them but you are willing to throw them under the bus for some Web standard ideal and an artificial deadline.
I know I won't win an argument with someone with this mindset as we have differing views on what is owed to Web content developers.
I do recommend that you start warning on all vendor prefixes with removal dates (a year off) even if you extend them to allow standards bodies the decades (it seems) to agree on the obviously needed features that force people to use them. Then I couldn't argue that folks don't know what they are getting into.
John Lenz
You missed the point of the deprecated message with the deadline. The point is not about actually meeting any particular date. It is about communication and setting expectations. By starting with a removal date, you state it will be removed and isn't a extension that may never be standardized and you plan to support forever (which from where I sit has been the effective policy in the past). My choice of a year was chosen because I've never see a standard body act fast but is near enough to not be see as a far off future, otherwise it has no meaning. If you can standardized in 2 weeks, and expect to remove it in 3 by all means use a date 3 weeks out. "removal is expected near ...".
I understand the problem with removing legacy prefixes, so my recommendation is don't. The cost of maintaining an alias in low and there was no expectation that they would be removed. That is water under the bridge. Make sure moving forward that this doesn't repeat by communicating clearly in the browser itself from the start.
Adam Barth
You missed the point of the deprecated message with the deadline. The point is not about actually meeting any particular date. It is about communication and setting expectations. By starting with a removal date, you state it will be removed and isn't a extension that may never be standardized and you plan to support forever (which from where I sit has been the effective policy in the past). My choice of a year was chosen because I've never see a standard body act fast but is near enough to not be see as a far off future, otherwise it has no meaning. If you can standardized in 2 weeks, and expect to remove it in 3 by all means use a date 3 weeks out. "removal is expected near ...".
I understand the problem with removing legacy prefixes, so my recommendation is don't. The cost of maintaining an alias in low and there was no expectation that they would be removed. That is water under the bridge. Make sure moving forward that this doesn't repeat by communicating clearly in the browser itself from the start.
John Lenz
Post facto warnings don't help (I didn't mean deprecation warnings previously but simply a removal warning). They need to be there from the start. I am aware of the arguments against vendor prefixes and agree that vendor prefixes fragment the web but I disagree that removing the prefixes and breaking compatibility is the right thing to do unless you have clearly state this intent when the content was developed.
CSP is an example of this but this isn't specifically about CSP. It is about policy.
The sad fact is that vendor prefixes mean "extension" not "temporary trial" and until there is only one browser vendor (which no one wants) there will always be vendor specific extensions and folks take advantage of these when they can. If you don't them to you need to tell them.
Christian Biesinger
are extensions vs temporary -- in the case of CSS, lots of people add
both the prefixed and the unprefixed version of the property.
And it's also not really correct that "there will always be
vendor-specific extensions". Both Mozilla and Chrome are moving away
from that and have committed not to add any new ones.
-christian
Mike West
I would suggest that we first drop support for the prefixed headers, but leave deprecation messages in place for another few releases to help developers transition to the supported, unprefixed headers.
Mike West <mk...@google.com>
Registergericht und -nummer: Hamburg, HRB 86891
Eric Seidel
Mike West
Mike West <mk...@google.com>
Registergericht und -nummer: Hamburg, HRB 86891
