Closed
Bug 524066
Opened 15 years ago
Closed 14 years ago
CSP should support dotless hosts
Categories
(Core :: Security, enhancement)
Core
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: geekboy)
References
()
Details
Attachments
(1 file)
|
1.01 KB,
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
CSP doesn't seem to work correctly for dotless hosts - too restrictive. policy allow: self with host say "desktop" <script src="/script.js"> or <script src="http://desktop/script.js"> block access to "desktop" though it is the original hosts. dotless hosts may be legitimately used in intranets.
|
Assignee | |
Comment 1•15 years ago
|
||
The preview build correctly enforces policy as defined in the CSP specification... but we should probably change the specification to permit dotless hosts too since they seem useful. I'll change the formal syntax and the parser implementation to accommodate this.
Syntax change:
<host-name> ::= "*"
| <ldh-str>"."<ldh-str>
| <host-name>"."<ldh-str>
to:
<host-name> ::= "*"
| <ldh-str>
| <host-name>"."<ldh-str>Assignee: nobody → sstamm
Blocks: 515433
Severity: normal → enhancement
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: x86 → All
Summary: CSP is too restrictive for dotless hosts → CSP should support dotless hosts
|
|
Assignee | |
Comment 2•14 years ago
|
||
This proposed fix removes the checks on parsed hosts that makes sure it is one of the following:
(1) equal to "*"
(2) equal to "localhost"
(3) more than one segment ("x.y", "*.y", etc...)|
|
Assignee | |
Updated•14 years ago
|
Attachment #429267 -
Flags: review?(dveditz)
|
||
Comment 3•14 years ago
|
||
Comment on attachment 429267 [details] [diff] [review] proposed fix r=dveditz
Attachment #429267 -
Flags: review?(dveditz) → review+
|
||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/426165b08c0c
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•