CSP 'self' inherited to local scheme treat 'self'. spec implies 'self' should be an opaque origin.

NEW
Unassigned

Status

()

Core
DOM: Security
P3
normal
28 days ago
19 days ago

People

(Reporter: Jun, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog2])

(Reporter)

Description

28 days ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36

Steps to reproduce:

1. Go to https://test.shhnjk.com/local_scheme.html


Actual results:

Firefox takes 'self' as embedding document's origin.


Expected results:

According to following comment, self should be local scheme itself.
https://github.com/w3c/webappsec-csp/issues/248#issuecomment-336369837
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Version: 1.0 Branch → unspecified
I'm not convinced Firefox is wrong (as opposed to the spec language being less useful).
https://github.com/w3c/webappsec-csp/issues/248#issuecomment-340860245

In any case this is a spec compliance issue and doesn't need to be a hidden security bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: CSP 'self' inherited to local scheme treat 'self' incorrectly → CSP 'self' inherited to local scheme treat 'self'. spec implies 'self' should be an opaque origin.
Group: dom-core-security
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
You need to log in before you can comment on or make changes to this bug.