Closed Bug 702176 Opened 13 years ago Closed 11 years ago

CSP: if default-src is missing, the rest of the policy is ignored

Categories

(Core :: DOM: Core & HTML, defect, P1)

8 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 764937

People

(Reporter: francois, Unassigned)

References

(Blocks 2 open bugs)

Details

User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24
Build ID: 20111107172717

Steps to reproduce:

I've got the following CSP header on http://fmarier.org/copy.html:

  X-Content-Security-Policy: style-src 'self'; img-src 'self'; font-src 'self'



Actual results:

It should allow local images and stylesheets through (like it did in Firefox 7), however, it doesn't and only the HTML is displayed.


Expected results:

It should be rendered the same way as http://fmarier.org/ which has this policy:

  X-Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'
That's certainly how our original Mozilla proposal read, but during the evolution of the W3 Content Security Policy spec this was changed so that missing attributes meant no restrictions. In other words, leaving off default-src 'none' was closer to an implied "default-src *".

but when this bug was filed we should not have had that behavior (I'm not sure we've intentionally changed yet) so we need to look into this.
Assignee: nobody → tanvi
Component: General → DOM: Core & HTML
Product: Firefox → Core
Assignee: tanvi → administration
Blocks: csp-w3c-1.0, CSP
this should be fixed as part of bug 746978, i'll make sure it is
Assignee: administration → imelven
Status: UNCONFIRMED → ASSIGNED
Depends on: 746978
Ever confirmed: true
Flags: needinfo?(imelven)
OS: Linux → All
Priority: -- → P1
Hardware: x86_64 → All
Sid, isn't this a dupe of bug 764937 as well ?
Flags: needinfo?(imelven)
Flags: needinfo?(imelven)
I think this is not a dupe of 764937... the X- header version (pre 1.0) requires default-src or allow directives as dveditz says in comment 1.  I think this is wontfix for the X- version of the header; though for version 1.0 compliance (bug csp-w3c-1.0) we do need to make sure this works.
Flags: needinfo?(imelven)
Right, I'm going to test this with the 1.0 parser in the very near future :)
Flags: needinfo?(imelven)
Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox should I test this with?)
(In reply to François Marier [:francois] from comment #6)
> Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox
> should I test this with?)

Most of it is in Aurora/Fx 21, see bug 746978 which is the most relevant piece.

You will need to set security.csp.specCompliant to true manually to enable 1.0 spec support (using the unprefixed Content-Security-Policy header) until bug 842657 lands.
Flags: needinfo?(imelven)
Assignee: imelven → nobody
Status: ASSIGNED → NEW
This bug is very confusing. Is this a bug in the pre-CSP-1.0 implementation, a bug in the CSP 1.0 implementation, or both? Obviously, this is a big deal if it is a bug in the CSP 1.0 implementation, which I'm guessing it is since it blocks csp-w3c-1.0.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.