Contact emails
mk...@chromium.org, j...@chromium.org
Spec
https://w3c.github.io/webappsec/specs/content-security-policy/
Summary
Content Security Policy Level 2 is, as you'd expect, an evolution of the Content Security Policy specification. Level 2 makes two breaking changes, and adds support for a number of new directives and capabilities which are summarized in the "Changes from 1.0" section of the spec: https://w3c.github.io/webappsec/specs/content-security-policy/#changesLink to “Intent to Implement” blink-dev discussion
https://lists.webkit.org/pipermail/webkit-dev/2012-May/020559.html was the announcement on webkit-dev, way back when. Joel shipped parts of CSP2 in https://groups.google.com/a/chromium.org/d/msg/blink-dev/rCiwMvGG8IY/MgRtHrkQfgMJ
Is this feature supported on all five Blink platforms (Windows, Mac, Linux, Chrome OS and Android)?
Yes.
Debuggability
We generate console messages for most violations, and the headers are easily inspectable via the network tab.
Compatibility Risk
There are 4 breaking changes in CSP2, summarized in https://w3c.github.io/webappsec/specs/content-security-policy/#changes. One we need to make for security reasons (ignoring path components after a redirect), and the rest for clarity going forward:
* Workers are moving from 'script-src' to 'child-src'. This should have an extremely small impact, as evidenced by the UMA metric: http://www.chromestatus.com/metrics/feature/popularity#WorkerAllowedByChildBlockedByScript
* Workers will have their own policy, rather than inheriting a policy from their creating document. This is necessary to support Service Workers (but isn't yet implemented).
* Redirects are blocked by default, governed by 'unsafe-redirect'.
The last of these might be disruptive: I intend to add metrics for the 'unsafe-redirect' change, and I'll come back to the list with numbers before shipping this change.
Other vendors are generally supportive:
* Firefox will be making these changes as well.
* IE does not yet implement CSP, but is working on implementing CSP2 in a future release: http://status.modern.ie/contentsecuritypolicy
* Safari hasn't substantially touched their CSP implementation since we forked, nor has Apple participated in the WG. If that continues, then I'll try to submit some patches.
OWP launch tracking bug?
Link to entry on the feature dashboard
Can you specify which pieces you'd like to ship first?