[Webkit-unassigned] [Bug 154177] New: CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource

Fri Feb 12 11:26:07 PST 2016

https://bugs.webkit.org/show_bug.cgi?id=154177

            Bug ID: 154177
           Summary: CSP: Allow schemeless source expressions to match an
                    HTTP or HTTPS resource
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dbates at webkit.org
                CC: dbates at webkit.org

Following up from bug #112573 and bug #153748, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource.

For example, assume the page http://www.example.com has Content Security Policy script-src example.com. If the page loads an external JavaScript script https://example.com/script.js then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by <https://www.w3.org/TR/CSP2/#match-source-expression> (21 July 2015).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160212/dd6cef9e/attachment.html>