[Webkit-unassigned] [Bug 153168] New: Disallow an empty host in a CSP host-source directive
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 15 18:10:04 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=153168
Bug ID: 153168
Summary: Disallow an empty host in a CSP host-source directive
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Keywords: BlinkMergeCandidate
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dbates at webkit.org
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=180407>.
Disallow an empty host in a CSP host-source directive
Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard.
The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax
host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
As you can see, the host-part is NOT optional.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160116/33a88cae/attachment-0001.html>
More information about the webkit-unassigned
mailing list