CSP blocks domains incorrectly when on a site with non-standard port

RESOLVED FIXED in mozilla14

Status

()

Core
DOM: Core & HTML
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: me, Assigned: geekboy)

Tracking

(Blocks: 1 bug)

Trunk
mozilla14
All
Other
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.55 Safari/535.1

Steps to reproduce:

I host two identical sites locally - one is at localhost:80 and the other is at localhost:8000. They have the following content:

<html><body>Hello World <script src="http://www.google.com/jsapi"></script></body></html>

They have identical CSP headers:

x-content-security-policy:allow 'self'; script-src www.google.com;


Actual results:

The site at localhost:8000 does not load the script from google and raises the following error:

Warning: CSP: Directive "script-src www.google.com" violated by http://www.google.com/jsapi


Expected results:

I would assume both sites should behave the same. I can see how different ports may affect the patterns in the CSP headers, but not the site that contains the CSP headers.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

6 years ago
Assignee: nobody → sstamm
Blocks: 493857
(Assignee)

Comment 1

6 years ago
Created attachment 547489 [details] [diff] [review]
fix

I created an xpcom test that quickly verified this behavior.

The fix itself is pretty straightforward (bad logic), but there were some other bits of the parser that needed repairs as a result of this fix to keep our unit tests happy.  These were deep problems in the way that 'self' was being parsed and handled, and as a result, I had to rework some of the 'self' parsing and object representation to do the right thing (act as a pointer to another CSPSource).
Attachment #547489 - Flags: review?(mrbkap)

Updated

6 years ago
Attachment #547489 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 2

6 years ago
I was just about to rebase this patch, but it looks like there's no merging necessary.  It still applies cleanly to mozilla-central.  We should probably land this, since it's tiny and has been sitting with r+ for many moons.
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/32c3987fb6f2
Flags: in-testsuite+
Keywords: checkin-needed
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/32c3987fb6f2
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.