Closed Bug 921493 Opened 10 years ago Closed 8 years ago

Whitelisting scheme-relative sources in a CSP header does not work properly

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: freddy, Assigned: ckerschb)

References

(Blocks 1 open bug, )

Details

Attachments

(1 file)

Filing for giorgios (in CC):

According to the CSP spec, a scheme-less URL may be given in a directive by just omitting the colon and everything before it, i.e.:
> Content-Security-Policy: script-src: something.tld

So that this HTML code may fly:
> <script src="//something.tld/foo.js" /> 
regardless of the protocol it is being loaded from.

Apparently this only works with HTTP, not HTTPS
Chris: can you take a look?
Flags: needinfo?(mozilla)
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Flags: needinfo?(mozilla)
OS: Linux → All
Hardware: x86_64 → All
Attached patch bug_921493.patchSplinter Review
Hey Dan, the problem in this bug was already fixed in Bug 826805. Nevertheless I added an additional test which was not covered before. We should make sure that we basically allow relative schemes to load unless it's a downgrade (https->http).

I think we should have that coverage especially because we are going to move security checks into asyncOpen() soon.
Attachment #8585888 - Flags: review?(dveditz)
Blocks: 826805
Comment on attachment 8585888 [details] [diff] [review]
bug_921493.patch

Review of attachment 8585888 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz
Attachment #8585888 - Flags: review?(dveditz) → review+
https://hg.mozilla.org/mozilla-central/rev/1c5cc2480340
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.