Closed
Bug 921493
Opened 11 years ago
Closed 10 years ago
Whitelisting scheme-relative sources in a CSP header does not work properly
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: freddy, Assigned: ckerschb)
References
(Blocks 1 open bug, )
Details
Attachments
(1 file)
6.53 KB,
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
Filing for giorgios (in CC):
According to the CSP spec, a scheme-less URL may be given in a directive by just omitting the colon and everything before it, i.e.:
> Content-Security-Policy: script-src: something.tld
So that this HTML code may fly:
> <script src="//something.tld/foo.js" />
regardless of the protocol it is being loaded from.
Apparently this only works with HTTP, not HTTPS
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Flags: needinfo?(mozilla)
OS: Linux → All
Hardware: x86_64 → All
Assignee | ||
Comment 2•10 years ago
|
||
Hey Dan, the problem in this bug was already fixed in Bug 826805. Nevertheless I added an additional test which was not covered before. We should make sure that we basically allow relative schemes to load unless it's a downgrade (https->http).
I think we should have that coverage especially because we are going to move security checks into asyncOpen() soon.
Attachment #8585888 -
Flags: review?(dveditz)
Comment 3•10 years ago
|
||
Comment on attachment 8585888 [details] [diff] [review]
bug_921493.patch
Review of attachment 8585888 [details] [diff] [review]:
-----------------------------------------------------------------
r=dveditz
Attachment #8585888 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 4•10 years ago
|
||
Target Milestone: --- → mozilla40
Comment 5•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox40:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•