CSP: Introduce the self-origin concept and use the "Does url match expression ..." algorithm
Categories
(Core :: DOM: Security, task, P3)
Tracking
()
People
(Reporter: tschuster, Unassigned)
References
(Blocks 4 open bugs, )
Details
(Whiteboard: [domsecurity-backlog])
We currently have something called mSelfURI
, which is not the same thing as the spec defined self-origin. Notably we will even include the scheme of the mSelfURI during parsing of schemeless hosts. When I tried undoing that in bug 1804145 we hit serious problems that caused us to backout the change.
Furthermore after we have a self-origin we can go ahead and change our old way of host-src/scheme-src matching (primarily in nsCSPHostSrc::permits
) to actually follow the specification for 6.7.2.8. Does url match expression in origin with redirect count?. I am however slightly concerned that this isn't actually implemented in any browser at the moment and thus has actual specification issues such as https://github.com/w3c/webappsec-csp/issues/487.
Comment 1•25 days ago
|
||
putting in the domsecurity backlog based on bug 1804145 comment 11 and to match the other bugs it blocks. Please change to domsecurity-active if you filed this bug because you're actively working on it again.
Description
•