Content Security Policy source-expression matching does not follow the specification
Reported by
shek...@gmail.com,
Feb 28 2016
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2652.0 Safari/537.36 Example URL: Steps to reproduce the problem: CSP level 2 specification describes how source-expressions containing non-empty path-part in section 4.2.2.11 https://www.w3.org/TR/CSP2/#match-source-expression, which implies that no matter if `exact-match` is true or not, matching of path-list entries should be performed in case-insensitive way. Aboce is valid for CSP level 3 as well. What is the expected behavior? Perform path-part matching according to the specification. exact-match: true content-security-policy: script-src example.com/script.js resource at: example.com/Script.js result: doesn't match expected: should load exact-match: false content-security-policy: script-src example.com/A/script.js resource at: example.com/A/script.js result: doesn't match expected: should match What went wrong? I expect Chromium to follow the specification or, (more reasonable in this case, as FF implements the same behavior) update the spec. Did this work before? N/A Chrome version: 50.0.2652.0 Channel: n/a OS Version: OS X 10.11.3 Flash Version: Shockwave Flash 21.0 r0
,
Feb 29 2016
Not mkwst, but should be Blink>SecurityFeature
,
Feb 29 2016
I agree that that's what I wrote in the spec, but I'm not sure it's actually the behavior we want. We case-insensitively compare hosts and schemes, because the case doesn't matter (e.g. `https://example.com` === `hTtPs://eXaMPlE.Com`). That's not the case for paths; they're quite often case-sensitive. Changed the spec in https://github.com/w3c/webappsec-csp/commit/dbeca439ccca4d99ccb34f0ef09570ce6a498bd5. Closing this out, thanks for the report! |
||
►
Sign in to add a comment |
||
Comment 1 by cbentzel@chromium.org
, Feb 29 2016