Last Comment Bug 672961 - CSP blocks domains incorrectly when on a site with non-standard port
: CSP blocks domains incorrectly when on a site with non-standard port
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: Trunk
: All Other
: -- normal (vote)
: mozilla14
Assigned To: Sid Stamm [:geekboy or :sstamm]
:
:
Mentors:
Depends on:
Blocks: CSP
  Show dependency treegraph
 
Reported: 2011-07-20 14:58 PDT by me
Modified: 2012-03-22 06:43 PDT (History)
5 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (8.86 KB, patch)
2011-07-21 13:24 PDT, Sid Stamm [:geekboy or :sstamm]
mrbkap: review+
Details | Diff | Splinter Review

Description me 2011-07-20 14:58:42 PDT
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.55 Safari/535.1

Steps to reproduce:

I host two identical sites locally - one is at localhost:80 and the other is at localhost:8000. They have the following content:

<html><body>Hello World <script src="http://www.google.com/jsapi"></script></body></html>

They have identical CSP headers:

x-content-security-policy:allow 'self'; script-src www.google.com;


Actual results:

The site at localhost:8000 does not load the script from google and raises the following error:

Warning: CSP: Directive "script-src www.google.com" violated by http://www.google.com/jsapi


Expected results:

I would assume both sites should behave the same. I can see how different ports may affect the patterns in the CSP headers, but not the site that contains the CSP headers.
Comment 1 Sid Stamm [:geekboy or :sstamm] 2011-07-21 13:24:11 PDT
Created attachment 547489 [details] [diff] [review]
fix

I created an xpcom test that quickly verified this behavior.

The fix itself is pretty straightforward (bad logic), but there were some other bits of the parser that needed repairs as a result of this fix to keep our unit tests happy.  These were deep problems in the way that 'self' was being parsed and handled, and as a result, I had to rework some of the 'self' parsing and object representation to do the right thing (act as a pointer to another CSPSource).
Comment 2 Sid Stamm [:geekboy or :sstamm] 2012-03-21 10:38:42 PDT
I was just about to rebase this patch, but it looks like there's no merging necessary.  It still applies cleanly to mozilla-central.  We should probably land this, since it's tiny and has been sitting with r+ for many moons.
Comment 3 Ryan VanderMeulen [:RyanVM] 2012-03-21 16:57:57 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/32c3987fb6f2
Comment 4 Marco Bonardo [::mak] 2012-03-22 06:43:07 PDT
https://hg.mozilla.org/mozilla-central/rev/32c3987fb6f2

Note You need to log in before you can comment on or make changes to this bug.