Bug 97408

Summary: Measure the usage of the "X-WebKit-CSP" header in the hopes of dropping the prefix completely.
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Mike West <mkwst>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 97190    
Attachments:
Description Flags
Patch none

Mike West
Reported 2012-09-23 09:48:33 PDT
At some point, we'll want to drop the "X-WebKit-CSP" header completely. We won't be able to do that unless we have some baseline measurements. Assuming that it's very low cost, I think it makes sense to start measuring now. When we add the unprefixed header, we should likely measure that as well to track the transition. I'd suggest doing both measurements inside of ContentSecurityPolicy::didReceiveHeader. WDYT, Adam?
Attachments
Patch (2.86 KB, patch)
2012-09-23 09:52 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-09-23 09:52:10 PDT
Created attachment 165286 [details] Patch
Adam Barth
Comment 2 2012-09-23 09:57:22 PDT
Note that dropping support for the prefixed header is easier than usual because it won't break any web sites. (It will just make them a bit less secure.) We also use the prefixed header in Chromium. Once we have the unprefixed header, we should switch Chromium over to using the unprefixed version.
Mike West
Comment 3 2012-09-23 10:00:52 PDT
(In reply to comment #2) > Note that dropping support for the prefixed header is easier than usual because it won't break any web sites. (It will just make them a bit less secure.) > > We also use the prefixed header in Chromium. Once we have the unprefixed header, we should switch Chromium over to using the unprefixed version. In the chrome://* pages, you mean? Good point. That said, there may be some areas where we could experimentally use some of the 1.1 bits and pieces. There might be inline script that 'script-nonce' could apply to, for instance. I'll file a bug to make sure we remember to talk about it.
Mike West
Comment 4 2012-09-23 10:06:06 PDT
(In reply to comment #3) > I'll file a bug to make sure we remember to talk about it. http://crbug.com/151857
WebKit Review Bot
Comment 5 2012-09-23 10:36:56 PDT
Comment on attachment 165286 [details] Patch Clearing flags on attachment: 165286 Committed r129315: <http://trac.webkit.org/changeset/129315>
WebKit Review Bot
Comment 6 2012-09-23 10:36:59 PDT
All reviewed patches have been landed. Closing bug.
Adam Barth
Comment 7 2012-09-23 12:00:22 PDT
> In the chrome://* pages, you mean? Good point. I also mean that content_security_policy in extension manifests maps to X-WebKit-CSP. We just need to grep the Chromium codebase for X-WebKit-CSP and update it.
Note You need to log in before you can comment on or make changes to this bug.