CSP policy-uri should accept relative URIs

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
9 years ago
4 months ago

People

(Reporter: geekboy, Assigned: geekboy)

Tracking

(Blocks 1 bug)

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

We should allow the use of relative URIs in policy-uri, since there are so many restrictions on it anyway, policies could be shortened by just specifying a path.  For example, on a page at https://mysite.com/foo:

X-Content-Security-Policy: policy-uri /lockdown.csp

Would cause the policy to be loaded from https://mysite.com/lockdown.csp
Lifted URI-ification of selfUri out of the specific policy-uri parsing bit of the loop, and set selfUri as the base URI when parsing the policy uri.
Attachment #450247 - Flags: review?(bsterne)
Comment on attachment 450247 [details] [diff] [review]
Proposed Patch

r=bsterne
Attachment #450247 - Flags: review?(dveditz)
Attachment #450247 - Flags: review?(bsterne)
Attachment #450247 - Flags: review+
Attachment #450247 - Flags: approval2.0?
Comment on attachment 450247 [details] [diff] [review]
Proposed Patch

Please do not request approval until reviews are complete.
Attachment #450247 - Flags: approval2.0?
Comment on attachment 450247 [details] [diff] [review]
Proposed Patch

r=dveditz
Attachment #450247 - Flags: review?(dveditz) → review+
Attachment #450247 - Flags: approval2.0?
Attachment #450247 - Flags: approval2.0? → approval2.0+
http://hg.mozilla.org/mozilla-central/rev/930f0a4d70d0
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Duplicate of this bug: 594446
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.