Closed Bug 1011841 Opened 10 years ago Closed 10 years ago

CSP: wildcards should match plain domain hostnames

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
29 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: superber, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140429 Firefox/24.0 Iceweasel/24.5.0 (Nightly/Aurora)
Build ID: 20140429201742

Steps to reproduce:

Setup a content security policy with
default-src *.foo.com


Actual results:

It matches images.foo.com but not foo.com


Expected results:

Should match foo.com, as stated in https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives .
Chromium implements this correctly.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Blocks: CSP
Component: DOM: Security → Security
Assignee: nobody → mozilla
This is an error in the MDN page and possibly in Chromium.

The CSP spec says: "If the first character of the source expression's host is an U+002A ASTERISK character (*) and the remaining characters, including the leading U+002E FULL STOP character (.), are not a case insensitive match for the rightmost characters of uri-host, then return does not match."

http://www.w3.org/TR/CSP/#matching

This means that *.foo.com will only match things that end with .foo.com (including the leading dot).  Only valid hosts that would match have that extra token in front of .foo.com, so foo.com itself is not a match.  The same wording is in the CSP 1.1 draft.

I corrected the MDN page and am resolving this bug as invalid (CSP in Gecko works as intended).
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.