Bug 97408

Summary:

Measure the usage of the "X-WebKit-CSP" header in the hopes of dropping the prefix completely.

Product:

WebKit

Reporter:

Mike West <mkwst>

Component:

WebCore Misc.

Assignee:

Mike West <mkwst>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

97190

Attachments:

Description	Flags
Patch	none

Description Mike West 2012-09-23 09:48:33 PDT

At some point, we'll want to drop the "X-WebKit-CSP" header completely. We won't be able to do that unless we have some baseline measurements. Assuming that it's very low cost, I think it makes sense to start measuring now.

When we add the unprefixed header, we should likely measure that as well to track the transition. I'd suggest doing both measurements inside of ContentSecurityPolicy::didReceiveHeader.

WDYT, Adam?

Comment 1 Mike West 2012-09-23 09:52:10 PDT

Created attachment 165286 [details]
Patch

Comment 2 Adam Barth 2012-09-23 09:57:22 PDT

Note that dropping support for the prefixed header is easier than usual because it won't break any web sites.  (It will just make them a bit less secure.)

We also use the prefixed header in Chromium.  Once we have the unprefixed header, we should switch Chromium over to using the unprefixed version.

Comment 3 Mike West 2012-09-23 10:00:52 PDT

(In reply to comment #2)
> Note that dropping support for the prefixed header is easier than usual because it won't break any web sites.  (It will just make them a bit less secure.)
> 
> We also use the prefixed header in Chromium.  Once we have the unprefixed header, we should switch Chromium over to using the unprefixed version.

In the chrome://* pages, you mean? Good point. 

That said, there may be some areas where we could experimentally use some of the 1.1 bits and pieces. There might be inline script that 'script-nonce' could apply to, for instance. I'll file a bug to make sure we remember to talk about it.

Comment 4 Mike West 2012-09-23 10:06:06 PDT

(In reply to comment #3)
> I'll file a bug to make sure we remember to talk about it.

http://crbug.com/151857

Comment 5 WebKit Review Bot 2012-09-23 10:36:56 PDT

Comment on attachment 165286 [details]
Patch

Clearing flags on attachment: 165286

Committed r129315: <http://trac.webkit.org/changeset/129315>

Comment 6 WebKit Review Bot 2012-09-23 10:36:59 PDT

All reviewed patches have been landed.  Closing bug.

Comment 7 Adam Barth 2012-09-23 12:00:22 PDT

> In the chrome://* pages, you mean? Good point. 

I also mean that content_security_policy in extension manifests maps to X-WebKit-CSP.  We just need to grep the Chromium codebase for X-WebKit-CSP and update it.