CSP: if default-src is missing, the rest of the policy is ignored

RESOLVED DUPLICATE of bug 764937

Status

()

Core
DOM: Core & HTML
P1
normal
RESOLVED DUPLICATE of bug 764937
6 years ago
5 years ago

People

(Reporter: francois, Unassigned)

Tracking

(Blocks: 2 bugs)

8 Branch
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24
Build ID: 20111107172717

Steps to reproduce:

I've got the following CSP header on http://fmarier.org/copy.html:

  X-Content-Security-Policy: style-src 'self'; img-src 'self'; font-src 'self'



Actual results:

It should allow local images and stylesheets through (like it did in Firefox 7), however, it doesn't and only the HTML is displayed.


Expected results:

It should be rendered the same way as http://fmarier.org/ which has this policy:

  X-Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'
That's certainly how our original Mozilla proposal read, but during the evolution of the W3 Content Security Policy spec this was changed so that missing attributes meant no restrictions. In other words, leaving off default-src 'none' was closer to an implied "default-src *".

but when this bug was filed we should not have had that behavior (I'm not sure we've intentionally changed yet) so we need to look into this.
Assignee: nobody → tanvi
Component: General → DOM: Core & HTML
Product: Firefox → Core

Updated

5 years ago
Assignee: tanvi → administration

Updated

5 years ago
Blocks: 663566, 493857

Comment 2

5 years ago
this should be fixed as part of bug 746978, i'll make sure it is
Assignee: administration → imelven
Status: UNCONFIRMED → ASSIGNED
Depends on: 746978
Ever confirmed: true
Flags: needinfo?(imelven)
OS: Linux → All
Priority: -- → P1
Hardware: x86_64 → All

Comment 3

5 years ago
Sid, isn't this a dupe of bug 764937 as well ?
Flags: needinfo?(imelven)

Updated

5 years ago
Flags: needinfo?(imelven)
I think this is not a dupe of 764937... the X- header version (pre 1.0) requires default-src or allow directives as dveditz says in comment 1.  I think this is wontfix for the X- version of the header; though for version 1.0 compliance (bug csp-w3c-1.0) we do need to make sure this works.
Flags: needinfo?(imelven)

Comment 5

5 years ago
Right, I'm going to test this with the 1.0 parser in the very near future :)
Flags: needinfo?(imelven)
(Reporter)

Comment 6

5 years ago
Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox should I test this with?)

Comment 7

5 years ago
(In reply to François Marier [:francois] from comment #6)
> Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox
> should I test this with?)

Most of it is in Aurora/Fx 21, see bug 746978 which is the most relevant piece.

You will need to set security.csp.specCompliant to true manually to enable 1.0 spec support (using the unprefixed Content-Security-Policy header) until bug 842657 lands.
Flags: needinfo?(imelven)

Updated

5 years ago
Assignee: imelven → nobody

Updated

5 years ago
Status: ASSIGNED → NEW
This bug is very confusing. Is this a bug in the pre-CSP-1.0 implementation, a bug in the CSP 1.0 implementation, or both? Obviously, this is a big deal if it is a bug in the CSP 1.0 implementation, which I'm guessing it is since it blocks csp-w3c-1.0.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 764937
You need to log in before you can comment on or make changes to this bug.