info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
X-CSP Deprecation Plan
25 views
Skip to first unread message
Garrett Robinson
Feb 6, 2014, 7:07:58 PM2/6/14
to dev-se...@lists.mozilla.org
# Overview
The X-Content-Security-Policy header, and associated pre-1.0 parser,
have been deprecated since Firefox 23. Our 1.0 support is stable and
mostly complete, and we have begun working on implementing new features
from the in-progress CSP 1.1 spec. We are also working on rewriting the
CSP implementation to be completely native (C++) to improve performance.
The new implementation will only support CSP 1.x. Therefore, removing
support for X-CSP is a blocker for landing the new implementation.
# Plan
## Prerequisites
I am currently working on Bug 858787 ("Flip the pref to turn on the CSP
1.0 parser for Firefox OS"). Once it is landed, all Mozilla client
software products will use CSP 1.0 by default.
## Timing
We will remove the header in nightly (30) as soon as the prerequisites
are done, and let the change ride the trains normally. It will be
released simultaneously in Firefox 30 and B2G 1.4 on June 9th.
## Impact
Sites that only use the prefixed header will no longer have the expected
CSP protections applied, making their users more vulnerable to XSS.
However, CSP is a defense-in-depth so they should not be relying on it,
and they've been warned since Firefox 23 that the prefixed header is
deprecated and they should be using the un-prefixed header instead.
Also, it will not break sites, just make them more vulnerable.
## Socializing the change
This 1 release cycle to announce the planned change and inform
developers that they need to be using CSP instead of, or in addition to
(for backwards compatibility), X-CSP to get protection in release Firefox.
For the reasons in the Impact section, as well as due to CSP's
relatively low adoption rate, this time frame is responsible and
balances giving developers time to upgrade with removing a non-standard
header (lest it become increasingly de facto standard).
To spread the word about the change and educate developers, I will:
1. Emailing the webappsec working group to announce the planned change.
Many of the developers whose sites currently implement CSP are active on
that list.
2. Blog about it on hacks.mozilla.org (cross-post Mozilla security blog?)
3. Give a tech talk at Twitter at the end of the month about CSP, and
announce the change there.
4. Matt Wobensmith will do an automated survey of top sites and the
status of their CSP headers. Depending on the results of that analysis,
we may decide to do more to help sites transition.
The X-Content-Security-Policy header, and associated pre-1.0 parser,
have been deprecated since Firefox 23. Our 1.0 support is stable and
mostly complete, and we have begun working on implementing new features
from the in-progress CSP 1.1 spec. We are also working on rewriting the
CSP implementation to be completely native (C++) to improve performance.
The new implementation will only support CSP 1.x. Therefore, removing
support for X-CSP is a blocker for landing the new implementation.
# Plan
## Prerequisites
I am currently working on Bug 858787 ("Flip the pref to turn on the CSP
1.0 parser for Firefox OS"). Once it is landed, all Mozilla client
software products will use CSP 1.0 by default.
## Timing
We will remove the header in nightly (30) as soon as the prerequisites
are done, and let the change ride the trains normally. It will be
released simultaneously in Firefox 30 and B2G 1.4 on June 9th.
## Impact
Sites that only use the prefixed header will no longer have the expected
CSP protections applied, making their users more vulnerable to XSS.
However, CSP is a defense-in-depth so they should not be relying on it,
and they've been warned since Firefox 23 that the prefixed header is
deprecated and they should be using the un-prefixed header instead.
Also, it will not break sites, just make them more vulnerable.
## Socializing the change
This 1 release cycle to announce the planned change and inform
developers that they need to be using CSP instead of, or in addition to
(for backwards compatibility), X-CSP to get protection in release Firefox.
For the reasons in the Impact section, as well as due to CSP's
relatively low adoption rate, this time frame is responsible and
balances giving developers time to upgrade with removing a non-standard
header (lest it become increasingly de facto standard).
To spread the word about the change and educate developers, I will:
1. Emailing the webappsec working group to announce the planned change.
Many of the developers whose sites currently implement CSP are active on
that list.
2. Blog about it on hacks.mozilla.org (cross-post Mozilla security blog?)
3. Give a tech talk at Twitter at the end of the month about CSP, and
announce the change there.
4. Matt Wobensmith will do an automated survey of top sites and the
status of their CSP headers. Depending on the results of that analysis,
we may decide to do more to help sites transition.
0 new messages