Open Bug 1899512 Opened 1 month ago Updated 23 days ago

CSP: Introduce the self-origin concept and use the "Does url match expression ..." algorithm

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: tschuster, Unassigned)

References

(Blocks 4 open bugs,
URL
)

Details

(Whiteboard: [domsecurity-backlog])

We currently have something called mSelfURI, which is not the same thing as the spec defined self-origin. Notably we will even include the scheme of the mSelfURI during parsing of schemeless hosts. When I tried undoing that in bug 1804145 we hit serious problems that caused us to backout the change.

Furthermore after we have a self-origin we can go ahead and change our old way of host-src/scheme-src matching (primarily in nsCSPHostSrc::permits) to actually follow the specification for 6.7.2.8. Does url match expression in origin with redirect count?. I am however slightly concerned that this isn't actually implemented in any browser at the moment and thus has actual specification issues such as https://github.com/w3c/webappsec-csp/issues/487.

Blocks: 1891466, 1804145, 1803475, 1721296

putting in the domsecurity backlog based on bug 1804145 comment 11 and to match the other bugs it blocks. Please change to domsecurity-active if you filed this bug because you're actively working on it again.

URL: https://w3c.github.io/webappsec-csp/#...
Severity: -- → N/A
Priority: -- → P3
See Also: → https://github.com/w3c/webappsec-csp/issues/487
Whiteboard: [domsecurity-backlog]
Duplicate of this bug: 1891466
You need to log in before you can comment on or make changes to this bug.