Closed Bug 1421609 Opened 4 years ago Closed 4 years ago

CSP header: host-source without scheme is not taken into account

Categories

(Core :: DOM: Security, defect)

57 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID
Tracking Status
firefox57 --- affected
firefox58 --- unaffected
firefox59 --- ?

People

(Reporter: carnet.franck.paul, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

Steps to reproduce:

Firefox 57 on OS X

Open a CSP protected Dotclear (CMS) administrative page on which the CSP header is set as follow:

default-src 'self' open-time.net ; script-src 'self' 'unsafe-inline' 'unsafe-eval' open-time.net https://api.embed.ly https://noembed.com ; style-src 'self' 'unsafe-inline' open-time.net ; img-src 'self' data: media.dotaddict.org blob: open-time.net ; child-src * ; report-uri https://***/csp_report.php



Actual results:

All resources (img) from open-time.net (for example https://open-time.net/public/illustrations/fourmi.gif) are not loaded and even not reported as violating the CSP directive.

With dev tool, when inspecting the expecting img, Firefox give only the following message: "Unable to load image".

Note that the very same page, loaded in Chrome OS X, is perfectly displayed with all expected open-time resources.


Expected results:

As reference (https://www.w3.org/TR/CSP/#framework-directive-source-list) says, the scheme is not mandatory for a host source:

> ; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
> host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]

So Firefox should use https then http if necessary.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Hey Franck, do you think you can provide a complete example ?
I tried to reproduce here => https://everlong.org/mozilla/test-csp
but this works as expected for me.
Ah, in my example, in the error message for the second image, we have the CSP: img-src https://everlong.org https://open-time.net 

Looks like Firefox added "https://" manually, but I don't know why.

Franck, is your example page hosted on HTTP ? Could you please share with us the complete error message that appears in the console ? Thanks !
(In reply to Julien Wajsberg [:julienw] from comment #1)
> Hey Franck, do you think you can provide a complete example ?
> I tried to reproduce here => https://everlong.org/mozilla/test-csp
> but this works as expected for me.

Not so easy as it's an administrative page (protected by login/pwd), and I can't provide an URL to test the problem directly.
(In reply to Julien Wajsberg [:julienw] from comment #2)
> Ah, in my example, in the error message for the second image, we have the
> CSP: img-src https://everlong.org https://open-time.net 
> 
> Looks like Firefox added "https://" manually, but I don't know why.
> 
> Franck, is your example page hosted on HTTP ? Could you please share with us
> the complete error message that appears in the console ? Thanks !

My page/image is served on HTTPS only.

On the console I have this:

> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://static1.squarespace.com/static/58879499725e2572b9c4e0ec/t/588d2571197aeae36a5e0d60/1509589582960/?format=1500w (« img-src https://everlong.org https://open-time.net »).
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à self (« default-src https://everlong.org »).
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à self (« default-src https://everlong.org »). Source: @media print {#ghostery-purple-box {disp....
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à data:image/png;base64,iVBORw0KGgoAAAANSU... (« img-src https://everlong.org https://open-time.net »).

But nothing about the unloaded image !
I believe that's the errors coming from my page, not yours :) Can you please show the errors coming from your page ?
(In reply to Julien Wajsberg [:julienw] from comment #5)
> I believe that's the errors coming from my page, not yours :) Can you please
> show the errors coming from your page ?

Nothing concerning open-time.net is displayed in the console, so I have not a message to show, sorry!

When inspecting page code, on hover the img href, I got a popup with (in French): "Impossible de charger l'image" (unable to load image). That's all.
Note that the very same page is totally functional (images loaded) in Firefox Dev Edition (58.0b7)
My bad, it's the extension PrivacyBadger from EFF which block image loading.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.