Closed
Bug 921493
Opened 10 years ago
Closed 8 years ago
Whitelisting scheme-relative sources in a CSP header does not work properly
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla40
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | fixed |
People
(Reporter: freddy, Assigned: ckerschb)
References
(Blocks 1 open bug, )
Details
Attachments
(1 file)
|
6.53 KB,
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
Filing for giorgios (in CC): According to the CSP spec, a scheme-less URL may be given in a directive by just omitting the colon and everything before it, i.e.: > Content-Security-Policy: script-src: something.tld So that this HTML code may fly: > <script src="//something.tld/foo.js" /> regardless of the protocol it is being loaded from. Apparently this only works with HTTP, not HTTPS
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Flags: needinfo?(mozilla)
OS: Linux → All
Hardware: x86_64 → All
|
|
Assignee | |
Comment 2•8 years ago
|
||
Hey Dan, the problem in this bug was already fixed in Bug 826805. Nevertheless I added an additional test which was not covered before. We should make sure that we basically allow relative schemes to load unless it's a downgrade (https->http). I think we should have that coverage especially because we are going to move security checks into asyncOpen() soon.
Attachment #8585888 -
Flags: review?(dveditz)
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8585888 [details] [diff] [review] bug_921493.patch Review of attachment 8585888 [details] [diff] [review]: ----------------------------------------------------------------- r=dveditz
Attachment #8585888 -
Flags: review?(dveditz) → review+
|
|
Assignee | |
Comment 4•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1c5cc2480340
Target Milestone: --- → mozilla40
|
||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1c5cc2480340
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox40:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•