97408 2012-09-23 09:48:33 -0700 Measure the usage of the "X-WebKit-CSP" header in the hopes of dropping the prefix completely. 2012-09-23 12:00:22 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 97190 1 mkwst mkwst abarth webkit.review.bot oldest_to_newest 726264 0 mkwst 2012-09-23 09:48:33 -0700 At some point, we'll want to drop the "X-WebKit-CSP" header completely. We won't be able to do that unless we have some baseline measurements. Assuming that it's very low cost, I think it makes sense to start measuring now. When we add the unprefixed header, we should likely measure that as well to track the transition. I'd suggest doing both measurements inside of ContentSecurityPolicy::didReceiveHeader. WDYT, Adam? 726265 1 165286 mkwst 2012-09-23 09:52:10 -0700 Created attachment 165286 Patch 726266 2 abarth 2012-09-23 09:57:22 -0700 Note that dropping support for the prefixed header is easier than usual because it won't break any web sites. (It will just make them a bit less secure.) We also use the prefixed header in Chromium. Once we have the unprefixed header, we should switch Chromium over to using the unprefixed version. 726268 3 mkwst 2012-09-23 10:00:52 -0700 (In reply to comment #2) > Note that dropping support for the prefixed header is easier than usual because it won't break any web sites. (It will just make them a bit less secure.) > > We also use the prefixed header in Chromium. Once we have the unprefixed header, we should switch Chromium over to using the unprefixed version. In the chrome://* pages, you mean? Good point. That said, there may be some areas where we could experimentally use some of the 1.1 bits and pieces. There might be inline script that 'script-nonce' could apply to, for instance. I'll file a bug to make sure we remember to talk about it. 726269 4 mkwst 2012-09-23 10:06:06 -0700 (In reply to comment #3) > I'll file a bug to make sure we remember to talk about it. http://crbug.com/151857 726274 5 165286 webkit.review.bot 2012-09-23 10:36:56 -0700 Comment on attachment 165286 Patch Clearing flags on attachment: 165286 Committed r129315: <http://trac.webkit.org/changeset/129315> 726275 6 webkit.review.bot 2012-09-23 10:36:59 -0700 All reviewed patches have been landed. Closing bug. 726281 7 abarth 2012-09-23 12:00:22 -0700 > In the chrome://* pages, you mean? Good point. I also mean that content_security_policy in extension manifests maps to X-WebKit-CSP. We just need to grep the Chromium codebase for X-WebKit-CSP and update it. 165286 2012-09-23 09:52:10 -0700 2012-09-23 10:36:56 -0700 Patch bug-97408-20120923185133.patch text/plain 2932 mkwst U3VidmVyc2lvbiBSZXZpc2lvbjogMTI5MzE0CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMTU3MzI2M2NjZDg5M2Yz ZGQ5OGQ5YzZkZGZkZDljNDg5ZjEzNDc3MS4uMGQwNGQyNDBmYzhkNTMxYzBhNjI1YTcwMjYyMGQy MjI0ZTUxNTA5MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIyIEBACisyMDEyLTA5LTIzICBNaWtl IFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgTWVhc3VyZSB0aGUgdXNhZ2Ug b2YgdGhlICJYLVdlYktpdC1DU1AiIGhlYWRlciBpbiB0aGUgaG9wZXMgb2YgZHJvcHBpbmcgdGhl IHByZWZpeCBjb21wbGV0ZWx5LgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9OTc0MDgKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBXZSBwbGFuIG9uIGxhbmRpbmcgdGhlIHVucHJlZml4ZWQgaGVhZGVyIGluIHdl YmtpdC5vcmcvYi85Njc2NSBvbmNlIHRoZQorICAgICAgICBzcGVjIG1vdmVzIHRvIENSLiBUaG91 Z2ggd2UgcGxhbiB0byB1c2UgaXQgZm9yIGV4cGVyaW1lbnRhdGlvbiBpbiB0aGUKKyAgICAgICAg bmVhciBmdXR1cmUsIHdlJ2xsIHdhbnQgdG8gZHJvcCB0aGUgcHJlZml4ZWQgaGVhZGVyIGNvbXBs ZXRlbHkgYXQgc29tZQorICAgICAgICBwb2ludCBpbiB0aGUgZnV0dXJlLiBTdGFydGluZyB0byBt ZWFzdXJlIGl0cyB1c2FnZSBub3cgd2lsbCBnaXZlIHVzIGEKKyAgICAgICAgZ29vZCBiYXNlbGlu ZSB3aGVuIHdlIHN0YXJ0IGNvbnRlbXBsYXRpbmcgdGhhdCBkZWNpc2lvbi4KKworICAgICAgICBO byBuZXcgZnVuY3Rpb25hbGl0eSwgc28gbm8gbmV3IHRlc3RzLgorCisgICAgICAgICogcGFnZS9D b250ZW50U2VjdXJpdHlQb2xpY3kuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Q29udGVudFNlY3Vy aXR5UG9saWN5OjpkaWRSZWNlaXZlSGVhZGVyKToKKyAgICAgICAgKiBwYWdlL0ZlYXR1cmVPYnNl cnZlci5oOgorCiAyMDEyLTA5LTIyICBEb21pbmljIE1henpvbmkgIDxkbWF6em9uaUBnb29nbGUu Y29tPgogCiAgICAgICAgIEFYOiBMYXlvdXQgdGVzdHMgd291bGQgYmUgZWFzaWVyIHRvIHdyaXRl IGlmIEFjY2Vzc2liaWxpdHlDb250cm9sbGVyIGNvdWxkIGZpbmQgYW4gZWxlbWVudCBieSBpZApk aWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGFnZS9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3Bw IGIvU291cmNlL1dlYkNvcmUvcGFnZS9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwCmluZGV4IDg4 NzA2MjE2MWI0YjI2NWNjZWRmYTkwZjdlZTM5YmM3NjNiNDQ0ZGMuLjRiYjNhODhhOGYzOWEwOTFk N2U4ZTFjOTU5ZGYwMzE4ODkwMmY3YjggMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BhZ2Uv Q29udGVudFNlY3VyaXR5UG9saWN5LmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wYWdlL0NvbnRl bnRTZWN1cml0eVBvbGljeS5jcHAKQEAgLTI5LDYgKzI5LDcgQEAKICNpbmNsdWRlICJDb25zb2xl LmgiCiAjaW5jbHVkZSAiRE9NU3RyaW5nTGlzdC5oIgogI2luY2x1ZGUgIkRvY3VtZW50LmgiCisj aW5jbHVkZSAiRmVhdHVyZU9ic2VydmVyLmgiCiAjaW5jbHVkZSAiRm9ybURhdGEuaCIKICNpbmNs dWRlICJGb3JtRGF0YUxpc3QuaCIKICNpbmNsdWRlICJGcmFtZS5oIgpAQCAtMTI4NSw2ICsxMjg2 LDExIEBAIHZvaWQgQ29udGVudFNlY3VyaXR5UG9saWN5Ojpjb3B5U3RhdGVGcm9tKGNvbnN0IENv bnRlbnRTZWN1cml0eVBvbGljeSogb3RoZXIpCiAKIHZvaWQgQ29udGVudFNlY3VyaXR5UG9saWN5 OjpkaWRSZWNlaXZlSGVhZGVyKGNvbnN0IFN0cmluZyYgaGVhZGVyLCBIZWFkZXJUeXBlIHR5cGUp CiB7CisgICAgaWYgKG1fc2NyaXB0RXhlY3V0aW9uQ29udGV4dC0+aXNEb2N1bWVudCgpKSB7Cisg ICAgICAgIERvY3VtZW50KiBkb2N1bWVudCA9IHN0YXRpY19jYXN0PERvY3VtZW50Kj4obV9zY3Jp cHRFeGVjdXRpb25Db250ZXh0KTsKKyAgICAgICAgRmVhdHVyZU9ic2VydmVyOjpvYnNlcnZlKGRv Y3VtZW50LT5kb21XaW5kb3coKSwgRmVhdHVyZU9ic2VydmVyOjpQcmVmaXhlZENvbnRlbnRTZWN1 cml0eVBvbGljeSk7CisgICAgfQorCiAgICAgLy8gUkZDMjYxNiwgc2VjdGlvbiA0LjIgc3BlY2lm aWVzIHRoYXQgaGVhZGVycyBhcHBlYXJpbmcgbXVsdGlwbGUgdGltZXMgY2FuCiAgICAgLy8gYmUg Y29tYmluZWQgd2l0aCBhIGNvbW1hLiBXYWxrIHRoZSBoZWFkZXIgc3RyaW5nLCBhbmQgcGFyc2Ug ZWFjaCBjb21tYQogICAgIC8vIHNlcGFyYXRlZCBjaHVuayBhcyBhIHNlcGFyYXRlIGhlYWRlci4K ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRmVhdHVyZU9ic2VydmVyLmggYi9Tb3Vy Y2UvV2ViQ29yZS9wYWdlL0ZlYXR1cmVPYnNlcnZlci5oCmluZGV4IGY5M2I0MmYyMDk5N2RlY2Fi MWZlMGE2ODYyMDY0MDVlM2ExMmQwZjkuLjkwOTZlYzU5NjU2MzY3YTk4NTMzNjBmMDM4N2NmZDM4 MjY3YTgxMjcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRmVhdHVyZU9ic2VydmVy LmgKKysrIGIvU291cmNlL1dlYkNvcmUvcGFnZS9GZWF0dXJlT2JzZXJ2ZXIuaApAQCAtNDcsNiAr NDcsNyBAQCBwdWJsaWM6CiAgICAgICAgIFNoYXJlZFdvcmtlclN0YXJ0LAogICAgICAgICBMZWdh Y3lXZWJBdWRpb05vdGVPbiwKICAgICAgICAgV2ViQXVkaW9TdGFydCwKKyAgICAgICAgUHJlZml4 ZWRDb250ZW50U2VjdXJpdHlQb2xpY3ksCiAgICAgICAgIC8vIEFkZCBuZXcgZmVhdHVyZXMgYWJv dmUgdGhpcyBsaW5lLgogICAgICAgICBOdW1iZXJPZkZlYXR1cmVzLCAvLyBUaGlzIGVudW0gdmFs dWUgbXVzdCBiZSBsYXN0LgogICAgIH07Cg==