Open
Bug 1410754
Opened 7 years ago
Updated 2 years ago
CSP 'self' inherited to local scheme treat 'self'. spec implies 'self' should be an opaque origin.
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: s.h.h.n.j.k, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog2])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/local_scheme.html Actual results: Firefox takes 'self' as embedding document's origin. Expected results: According to following comment, self should be local scheme itself. https://github.com/w3c/webappsec-csp/issues/248#issuecomment-336369837
|
||
Updated•7 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Version: 1.0 Branch → unspecified
|
||
Comment 1•7 years ago
|
||
I'm not convinced Firefox is wrong (as opposed to the spec language being less useful). https://github.com/w3c/webappsec-csp/issues/248#issuecomment-340860245 In any case this is a spec compliance issue and doesn't need to be a hidden security bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → https://github.com/w3c/webappsec-csp/issues/248
Summary: CSP 'self' inherited to local scheme treat 'self' incorrectly → CSP 'self' inherited to local scheme treat 'self'. spec implies 'self' should be an opaque origin.
|
|
||
Updated•7 years ago
|
Group: dom-core-security
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•