Bug 858787 - Enable CSP 1.0 parser in B2G and update certified app CSP to be legacy-compatible (relaxed). r=gwagner, r=grobinson, a=bajaj
authorSid Stamm <sstamm@mozilla.com>
Tue, 10 Jun 2014 15:31:46 -0700
changeset 207021 769f119194b72d7d71e727d3e558787645f66ef2
parent 207020 7df8944f610b58dadf0253f37231522e44dcac01
child 207022 abd8f8a2645e616b9c320a6a6c9af3df5973bcba
push id3741
push userasasaki@mozilla.com
push dateMon, 21 Jul 2014 20:25:18 +0000
treeherdermozilla-beta@4d6f46f5af68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgwagner, grobinson, bajaj
bugs858787
milestone32.0a2
Bug 858787 - Enable CSP 1.0 parser in B2G and update certified app CSP to be legacy-compatible (relaxed). r=gwagner, r=grobinson, a=bajaj
b2g/app/b2g.js
--- a/b2g/app/b2g.js
+++ b/b2g/app/b2g.js
@@ -385,20 +385,23 @@ pref("content.ime.strict_policy", true);
 // On Android, you also need to do the following for the output
 // to show up in logcat:
 //
 // $ adb shell stop
 // $ adb shell setprop log.redirect-stdio true
 // $ adb shell start
 pref("browser.dom.window.dump.enabled", false);
 
+// Turn on the CSP 1.0 parser for Content Security Policy headers
+pref("security.csp.speccompliant", true);
+
 // Default Content Security Policy to apply to privileged and certified apps
 pref("security.apps.privileged.CSP.default", "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
 // If you change this CSP, make sure to update the fast path in nsCSPService.cpp
-pref("security.apps.certified.CSP.default", "default-src *; script-src 'self'; object-src 'none'; style-src 'self'");
+pref("security.apps.certified.CSP.default", "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
 
 // Temporarily force-enable GL compositing.  This is default-disabled
 // deep within the bowels of the widgetry system.  Remove me when GL
 // compositing isn't default disabled in widget/android.
 pref("layers.acceleration.force-enabled", true);
 
 // handle links targeting new windows
 // 1=current window/tab, 2=new window, 3=new tab in most recent window