[Webkit-unassigned] [Bug 153168] New: Disallow an empty host in a CSP host-source directive

Fri Jan 15 18:10:04 PST 2016

https://bugs.webkit.org/show_bug.cgi?id=153168

            Bug ID: 153168
           Summary: Disallow an empty host in a CSP host-source directive
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: All
                OS: All
            Status: NEW
          Keywords: BlinkMergeCandidate
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dbates at webkit.org

We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=180407>.

Disallow an empty host in a CSP host-source directive

Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard.

The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax

host-source       = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
host-part         = "*" / [ "*." ] 1*host-char *( "." 1*host-char )

As you can see, the host-part is NOT optional.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160116/33a88cae/attachment-0001.html>