Whitelisting scheme-relative sources in a CSP header does not work properly

RESOLVED FIXED in Firefox 40

Status

()

RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: freddyb, Assigned: ckerschb)

Tracking

(Blocks: 1 bug)

unspecified
mozilla40
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox40 fixed)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Filing for giorgios (in CC):

According to the CSP spec, a scheme-less URL may be given in a directive by just omitting the colon and everything before it, i.e.:
> Content-Security-Policy: script-src: something.tld

So that this HTML code may fly:
> <script src="//something.tld/foo.js" /> 
regardless of the protocol it is being loaded from.

Apparently this only works with HTTP, not HTTPS
Chris: can you take a look?
Flags: needinfo?(mozilla)
(Assignee)

Updated

4 years ago
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Flags: needinfo?(mozilla)
OS: Linux → All
Hardware: x86_64 → All
(Assignee)

Comment 2

4 years ago
Created attachment 8585888 [details] [diff] [review]
bug_921493.patch

Hey Dan, the problem in this bug was already fixed in Bug 826805. Nevertheless I added an additional test which was not covered before. We should make sure that we basically allow relative schemes to load unless it's a downgrade (https->http).

I think we should have that coverage especially because we are going to move security checks into asyncOpen() soon.
Attachment #8585888 - Flags: review?(dveditz)
(Assignee)

Updated

4 years ago
Blocks: 826805
Comment on attachment 8585888 [details] [diff] [review]
bug_921493.patch

Review of attachment 8585888 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz
Attachment #8585888 - Flags: review?(dveditz) → review+
https://hg.mozilla.org/mozilla-central/rev/1c5cc2480340
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
status-firefox40: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.