Closed Bug 672961 Opened 10 years ago Closed 9 years ago
CSP blocks domains incorrectly when on a site with non-standard port
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.55 Safari/535.1 Steps to reproduce: I host two identical sites locally - one is at localhost:80 and the other is at localhost:8000. They have the following content: <html><body>Hello World <script src="http://www.google.com/jsapi"></script></body></html> They have identical CSP headers: x-content-security-policy:allow 'self'; script-src www.google.com; Actual results: The site at localhost:8000 does not load the script from google and raises the following error: Warning: CSP: Directive "script-src www.google.com" violated by http://www.google.com/jsapi Expected results: I would assume both sites should behave the same. I can see how different ports may affect the patterns in the CSP headers, but not the site that contains the CSP headers.
Assignee: nobody → sstamm
I created an xpcom test that quickly verified this behavior. The fix itself is pretty straightforward (bad logic), but there were some other bits of the parser that needed repairs as a result of this fix to keep our unit tests happy. These were deep problems in the way that 'self' was being parsed and handled, and as a result, I had to rework some of the 'self' parsing and object representation to do the right thing (act as a pointer to another CSPSource).
Attachment #547489 - Flags: review?(mrbkap)
Attachment #547489 - Flags: review?(mrbkap) → review+
I was just about to rebase this patch, but it looks like there's no merging necessary. It still applies cleanly to mozilla-central. We should probably land this, since it's tiny and has been sitting with r+ for many moons.
Target Milestone: --- → mozilla14
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.