[Webkit-unassigned] [Bug 154177] New: CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 12 11:26:07 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=154177
Bug ID: 154177
Summary: CSP: Allow schemeless source expressions to match an
HTTP or HTTPS resource
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: All
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dbates at webkit.org
CC: dbates at webkit.org
Following up from bug #112573 and bug #153748, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource.
For example, assume the page http://www.example.com has Content Security Policy script-src example.com. If the page loads an external JavaScript script https://example.com/script.js then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by <https://www.w3.org/TR/CSP2/#match-source-expression> (21 July 2015).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160212/dd6cef9e/attachment.html>
More information about the webkit-unassigned
mailing list