Open
Bug 1076837
Opened 10 years ago
Updated 2 years ago
CSP - Update Source Expression matching to follow spec
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: ckerschb, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
As Sid pointed out correctly in:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1075230#c10
there are 2 things that we currently do different in
> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPUtils.cpp#291
than the specs suggests in:
> http://www.w3.org/TR/CSP11/#match-source-expression
In particular:
* 4.4.1, and 4.4.2
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [domsecurity-backlog]
|
|
Reporter | |
Updated•8 years ago
|
Priority: -- → P2
|
|
Reporter | |
Updated•8 years ago
|
Priority: P2 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog2]
|
||
Comment 1•8 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #0)
> than the specs suggests in:
> > http://www.w3.org/TR/CSP11/#match-source-expression
>
> In particular:
> * 4.4.1, and 4.4.2
The spec has changed and these references are no longer valid.
Looking at the version of the spec at the time of that comment though:
https://www.w3.org/TR/2014/WD-CSP2-20140703/#match-source-expression
the relevant lines look like:
4.4.1. the scheme of the protected resource’s URI is a case insensitive match for HTTP, and uri-scheme is not a case insensitive match for either HTTP or HTTPS
4.4.2. the scheme of the protected resource’s URI is not a case insensitive match for HTTP, and uri-scheme is not a case insensitive match for the scheme of the protected resource’s URI.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•