Closed
Bug 702176
Opened 13 years ago
Closed 11 years ago
CSP: if default-src is missing, the rest of the policy is ignored
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 764937
People
(Reporter: francois, Unassigned)
References
(Blocks 2 open bugs)
Details
User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24
Build ID: 20111107172717
Steps to reproduce:
I've got the following CSP header on http://fmarier.org/copy.html:
X-Content-Security-Policy: style-src 'self'; img-src 'self'; font-src 'self'
Actual results:
It should allow local images and stylesheets through (like it did in Firefox 7), however, it doesn't and only the HTML is displayed.
Expected results:
It should be rendered the same way as http://fmarier.org/ which has this policy:
X-Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'
|
||
Comment 1•12 years ago
|
||
That's certainly how our original Mozilla proposal read, but during the evolution of the W3 Content Security Policy spec this was changed so that missing attributes meant no restrictions. In other words, leaving off default-src 'none' was closer to an implied "default-src *".
but when this bug was filed we should not have had that behavior (I'm not sure we've intentionally changed yet) so we need to look into this.
Assignee: nobody → tanvi
|
||
Updated•12 years ago
|
Component: General → DOM: Core & HTML
Product: Firefox → Core
|
||
Updated•12 years ago
|
Assignee: tanvi → administration
|
||
Updated•12 years ago
|
Blocks: csp-w3c-1.0, CSP
|
|
||
Comment 2•12 years ago
|
||
this should be fixed as part of bug 746978, i'll make sure it is
Assignee: administration → imelven
Status: UNCONFIRMED → ASSIGNED
Depends on: 746978
Ever confirmed: true
|
||
Updated•12 years ago
|
Flags: needinfo?(imelven)
OS: Linux → All
Priority: -- → P1
Hardware: x86_64 → All
|
|
||
Updated•12 years ago
|
Flags: needinfo?(imelven)
|
|
||
Comment 4•12 years ago
|
||
I think this is not a dupe of 764937... the X- header version (pre 1.0) requires default-src or allow directives as dveditz says in comment 1. I think this is wontfix for the X- version of the header; though for version 1.0 compliance (bug csp-w3c-1.0) we do need to make sure this works.
Flags: needinfo?(imelven)
|
|
||
Comment 5•12 years ago
|
||
Right, I'm going to test this with the 1.0 parser in the very near future :)
Flags: needinfo?(imelven)
|
Reporter | |
Comment 6•12 years ago
|
||
Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox should I test this with?)
|
|
||
Comment 7•12 years ago
|
||
(In reply to François Marier [:francois] from comment #6)
> Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox
> should I test this with?)
Most of it is in Aurora/Fx 21, see bug 746978 which is the most relevant piece.
You will need to set security.csp.specCompliant to true manually to enable 1.0 spec support (using the unprefixed Content-Security-Policy header) until bug 842657 lands.
Flags: needinfo?(imelven)
|
|
||
Updated•11 years ago
|
Assignee: imelven → nobody
|
|
||
Updated•11 years ago
|
Status: ASSIGNED → NEW
|
|
||
Comment 8•11 years ago
|
||
This bug is very confusing. Is this a bug in the pre-CSP-1.0 implementation, a bug in the CSP 1.0 implementation, or both? Obviously, this is a big deal if it is a bug in the CSP 1.0 implementation, which I'm guessing it is since it blocks csp-w3c-1.0.
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•