921493 - Whitelisting scheme-relative sources in a CSP header does not work properly

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Frederik Braun [:freddy]]

Filing for giorgios (in CC):

According to the CSP spec, a scheme-less URL may be given in a directive by just omitting the colon and everything before it, i.e.:
> Content-Security-Policy: script-src: something.tld

So that this HTML code may fly:
> <script src="//something.tld/foo.js" /> 
regardless of the protocol it is being loaded from.

Apparently this only works with HTTP, not HTTPS

Comment 1

[Sid Stamm [:geekboy or :sstamm]]

Chris: can you take a look?

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

Attachment: bug_921493.patch

Hey Dan, the problem in this bug was already fixed in Bug 826805. Nevertheless I added an additional test which was not covered before. We should make sure that we basically allow relative schemes to load unless it's a downgrade (https->http).

I think we should have that coverage especially because we are going to move security checks into asyncOpen() soon.

Comment 3

[Daniel Veditz [:dveditz]]

Comment on attachment 8585888 [details] [diff] [review]
bug_921493.patch

Review of attachment 8585888 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz

Comment 4

[Christoph Kerschbaumer [:ckerschb]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/1c5cc2480340

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/1c5cc2480340