If I am not wrong, http://mxr.mozilla.org/mozilla-central/source/content/base/public/nsContentPolicyUtils.h#158 shows that nsIContentPolicy implementation (which CSP uses) bypasses all checks for chrome:// URI pages. Disabling this optimization might have an impact on performance as well as the compat hit might be huge.
--dev On 20 September 2013 10:05, Frederik Braun <fbr...@mozilla.com> wrote: > On 19.09.2013 20:30, Daniel Veditz wrote: >>> The only question that remains, is how hard is it to apply a CSP to >>> non-HTTP documents and XUL documents (like about:newtab)? >> >> At the moment, hard; trivial once we support the CSP 1.1 <meta> tag >> feature. Well, actually, adding the CSP policies isn't going to be the >> hard part, fixing up all the pages will take a lot of work. >> > > Is that because those pages are not transmitted over HTTP or because our > existing CSP implementation doesn't really know how to handle the XUL? > >> It'd be safer to automatically impose a policy but that would break so >> many add-ons that it would take great political will to make that kind >> of change even if we let add-ons opt-out of the imposition. >> > > I'd love to avoid implicitly attaching policies to web pages. It sounds > like a good thing to go "default secure", but I nobody will be happy if > we break add-ons. > >> -Dan Veditz > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
