Open
Bug 1076837
Opened 10 years ago
Updated 2 years ago
CSP - Update Source Expression matching to follow spec
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: ckerschb, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
As Sid pointed out correctly in: > https://bugzilla.mozilla.org/show_bug.cgi?id=1075230#c10 there are 2 things that we currently do different in > http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPUtils.cpp#291 than the specs suggests in: > http://www.w3.org/TR/CSP11/#match-source-expression In particular: * 4.4.1, and 4.4.2
|
Reporter | |
Updated•8 years ago
|
Whiteboard: [domsecurity-backlog]
|
|
Reporter | |
Updated•8 years ago
|
Priority: -- → P2
|
|
Reporter | |
Updated•8 years ago
|
Priority: P2 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog2]
|
||
Comment 1•7 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #0) > than the specs suggests in: > > http://www.w3.org/TR/CSP11/#match-source-expression > > In particular: > * 4.4.1, and 4.4.2 The spec has changed and these references are no longer valid. Looking at the version of the spec at the time of that comment though: https://www.w3.org/TR/2014/WD-CSP2-20140703/#match-source-expression the relevant lines look like: 4.4.1. the scheme of the protected resource’s URI is a case insensitive match for HTTP, and uri-scheme is not a case insensitive match for either HTTP or HTTPS 4.4.2. the scheme of the protected resource’s URI is not a case insensitive match for HTTP, and uri-scheme is not a case insensitive match for the scheme of the protected resource’s URI.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•