New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Nov 2012
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----
Product-Review: ----



Sign in to add a comment
Add unprefixed support for the "Content-Security-Policy" header
Project Member Reported by meh@chromium.org, Nov 8 2012 Back to list
(See http://goto.google.com/owp-launch-guide for an overview)

*High-level description of the change (1-2 sentences):*
Content Security Policy is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources.

The Content-Security-Policy header field is the preferred mechanism for delivering a CSP policy. Upon receiving an HTTP response containing at least one Content-Security-Policy header field, the user agent must enforce each of the policies contained in each such header field.

*Listing of additions/modifications/changes to API surface (bullet
points):*
Move to Content-Security-Policy from X-WebKit-CSP
---------
Additional context (fill in as much as you can, or link to a prior API
launch bug with the context):
*Link to relevant webkit or crbug:*
https://bugs.webkit.org/show_bug.cgi?id=96765

*Link to relevant public standards discussion:*
http://www.w3.org/TR/CSP/
http://lists.w3.org/Archives/Public/public-webappsec/2012Aug/0007.html

*Support in other browsers (current and expected):*
Internet Explorer: partial support in 10
Firefox: prefixed support since 15
Safari: prefixed support since 5.0
Opera: no support
http://caniuse.com/#feat=contentsecuritypolicy

Make sure to fill in any labels with a -?. Feel free to leave other labels
at the defaults.

 
Comment 1 by meh@chromium.org, Nov 25 2012
Owner: mkwst@chromium.org
Mike's H5R announcement post: http://updates.html5rocks.com/2012/11/Content-Security-Policy-1-0-is-officially-awesome
Comment 2 by meh@chromium.org, Jan 4 2013
Labels: OS-Android OS-Windows OS-Mac OS-Linux OS-Chrome OS-iOS
Not sure why OS-iOS was added; we don't control how UIWebView interprets headers for JS purposes. Did someone add code that rewrites the headers on iOS so that UIWebView gets the prefixed header if the server sends the unprefixed version?
Comment 4 by meh@chromium.org, Jan 7 2013
Labels: -OS-iOS
Thanks for your comment. I'm removing OS-iOS for now. Feel free to add it back if appropriate!
Labels: -OS-Android -OS-Windows -OS-Mac -OS-Linux -OS-Chrome OS-All
Project Member Comment 6 by bugdroid1@chromium.org, Mar 9 2013
Labels: -Mstone-25 M-25
Project Member Comment 7 by bugdroid1@chromium.org, Mar 9 2013
Labels: -OWP-DesignReview-No OWP-Design-No
Comment 8 by Deleted ...@, Mar 12 2013
Does WebView on Android support CSP?
Sign in to add a comment