Implement CSP child-src directive #949

Even though this CSP 1.1 directive is deprecated in the CSP standard (right after introducing it!) and as such we never implemented it (well, very briefly in our JS implementation) because people want to use worker-src instead for workers, we should probably for web compatibility implement child-src to fix CSP-restricted use of web workers that now fall back to script-src when child-src is used (e.g. dropbox).
We can alias worker-src (currently only implemented in Chrome) to child-src, mostly (just needs the frame-src functionality of it disabled in that case).

Implementation ref on BMO: https://bugzilla.mozilla.org/show_bug.cgi?id=1045891 (FF45)

Even though this CSP 1.1 directive is deprecated in the CSP standard (right after introducing it!) and as such we never implemented it (well, very briefly in our JS implementation) because people want to use `worker-src` instead for workers, we should probably for web compatibility implement `child-src` to fix CSP-restricted use of web workers that now fall back to `script-src` when `child-src` is used (e.g. dropbox). We can alias `worker-src` (currently only implemented in Chrome) to `child-src`, mostly (just needs the `frame-src` functionality of it disabled in that case). Implementation ref on BMO: https://bugzilla.mozilla.org/show_bug.cgi?id=1045891 (FF45)

I'll see if I can make a quick implementation of this; we don't have to go through the lengths of the BMO bug since we don't use service workers, so it can be simpler.

No, refactoring happened here too. Unknown why, but seems deliberate to make things difficult.

Can't we have child-src back and alias worker-src to it?

Isn't that what I already said?

If you mean "can't we have child-src back" the way it was already implemented before: no, we can't. our previous platform used a JS-based CSP parser. That was a lot easier to maintain than the C++ variant we have inherited in the platform re-base now with Tycho.

I've looked into the reasons why they converted this to C++, and it's been for a project that turned out to be a bust anyway: Firefox OS (because, surprise surprise, their target crap phones were slow as tar doing this in JS).
We should consider reinstating the old CSP parser in JS by rolling back the changes made in https://bugzilla.mozilla.org/show_bug.cgi?id=994782 and disabling the C++ back-end, then using a more maintainable version of the CSP parser in JS to change/add/remove directives as-needed and as they are changed in this spec mess.

I've looked into the reasons why they converted this to C++, and it's been for a project that turned out to be a bust anyway: Firefox OS (because, surprise surprise, their target crap phones were slow as tar doing this in JS). We should consider reinstating the old CSP parser in JS by rolling back the changes made in https://bugzilla.mozilla.org/show_bug.cgi?id=994782 and disabling the C++ back-end, then using a more maintainable version of the CSP parser in JS to change/add/remove directives as-needed and as they are changed in this spec mess.

We'll have this solved in a UXP-based Pale Moon. Closing.

Labels Milestones

Implement CSP child-src directive #949