Closed
Bug 672961
Opened 14 years ago
Closed 13 years ago
CSP blocks domains incorrectly when on a site with non-standard port
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: me, Assigned: geekboy)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
8.86 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.55 Safari/535.1
Steps to reproduce:
I host two identical sites locally - one is at localhost:80 and the other is at localhost:8000. They have the following content:
<html><body>Hello World <script src="http://www.google.com/jsapi"></script></body></html>
They have identical CSP headers:
x-content-security-policy:allow 'self'; script-src www.google.com;
Actual results:
The site at localhost:8000 does not load the script from google and raises the following error:
Warning: CSP: Directive "script-src www.google.com" violated by http://www.google.com/jsapi
Expected results:
I would assume both sites should behave the same. I can see how different ports may affect the patterns in the CSP headers, but not the site that contains the CSP headers.
![]() |
||
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 1•14 years ago
|
||
I created an xpcom test that quickly verified this behavior.
The fix itself is pretty straightforward (bad logic), but there were some other bits of the parser that needed repairs as a result of this fix to keep our unit tests happy. These were deep problems in the way that 'self' was being parsed and handled, and as a result, I had to rework some of the 'self' parsing and object representation to do the right thing (act as a pointer to another CSPSource).
Attachment #547489 -
Flags: review?(mrbkap)
Updated•14 years ago
|
Attachment #547489 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 2•13 years ago
|
||
I was just about to rebase this patch, but it looks like there's no merging necessary. It still applies cleanly to mozilla-central. We should probably land this, since it's tiny and has been sitting with r+ for many moons.
Keywords: checkin-needed
Comment 3•13 years ago
|
||
Comment 4•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•