Closed Bug 659015 Opened 12 years ago Closed 12 years ago

http-Images on https-Pages are reported as CSP violations

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
minor

Tracking

()

RESOLVED INVALID

People

(Reporter: jz-2011, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110302 Iceweasel/3.5.16 (like Firefox/3.5.16)
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Hi.

If I use the following (apache) configuration
Header set X-Content-Security-Policy-Report-Only \
  "allow *.domain1.tld *.domain2.tld; \
  options eval-script inline-script; \
  report-uri /perl/csp-report.pl"

I find reports in my log about images with http:// urls on https:// pages as a violation of "allow *.domain1.tld *.domain2.tld". I don't see why they are violations. The schema is not mentioned in the policy.

Sincerely,
Joachim


Reproducible: Always
CSP is working in this case in the way it was designed.  You cannot white list all schemes with a wildcard; you must be explicit with schemes.

From https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#source-expressions :
> a scheme is not specified as part of the source expression, a user-agent must
> use the same scheme as the protected document.

In your case, https:// is inherited from the top-level page since no schemes are specified in the policy.  To allow both, you have to whitelist both, e.g.:
allow *.domain1.tld http://*.domain1.tld *.domain2.tld http://*.domain2.tld

This was designed specifically to prevent sites from unintentionally white listing arbitrary protocols for their site content.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.