http-Images on https-Pages are reported as CSP violations

RESOLVED INVALID

Status

()

--
minor
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: jz-2011, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110302 Iceweasel/3.5.16 (like Firefox/3.5.16)
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Hi.

If I use the following (apache) configuration
Header set X-Content-Security-Policy-Report-Only \
  "allow *.domain1.tld *.domain2.tld; \
  options eval-script inline-script; \
  report-uri /perl/csp-report.pl"

I find reports in my log about images with http:// urls on https:// pages as a violation of "allow *.domain1.tld *.domain2.tld". I don't see why they are violations. The schema is not mentioned in the policy.

Sincerely,
Joachim


Reproducible: Always
CSP is working in this case in the way it was designed.  You cannot white list all schemes with a wildcard; you must be explicit with schemes.

From https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#source-expressions :
> a scheme is not specified as part of the source expression, a user-agent must
> use the same scheme as the protected document.

In your case, https:// is inherited from the top-level page since no schemes are specified in the policy.  To allow both, you have to whitelist both, e.g.:
allow *.domain1.tld http://*.domain1.tld *.domain2.tld http://*.domain2.tld

This was designed specifically to prevent sites from unintentionally white listing arbitrary protocols for their site content.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.