Closed
Bug 1011841
Opened 10 years ago
Closed 10 years ago
CSP: wildcards should match plain domain hostnames
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: superber, Assigned: ckerschb)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140429 Firefox/24.0 Iceweasel/24.5.0 (Nightly/Aurora) Build ID: 20140429201742 Steps to reproduce: Setup a content security policy with default-src *.foo.com Actual results: It matches images.foo.com but not foo.com Expected results: Should match foo.com, as stated in https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives . Chromium implements this correctly.
Updated•10 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → mozilla
Comment 1•10 years ago
|
||
This is an error in the MDN page and possibly in Chromium. The CSP spec says: "If the first character of the source expression's host is an U+002A ASTERISK character (*) and the remaining characters, including the leading U+002E FULL STOP character (.), are not a case insensitive match for the rightmost characters of uri-host, then return does not match." http://www.w3.org/TR/CSP/#matching This means that *.foo.com will only match things that end with .foo.com (including the leading dot). Only valid hosts that would match have that extra token in front of .foo.com, so foo.com itself is not a match. The same wording is in the CSP 1.1 draft. I corrected the MDN page and am resolving this bug as invalid (CSP in Gecko works as intended).
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•