New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 815142 link

Starred by 7 users
Status: Fixed
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Sep 17
Cc:
mkwst@chromium.org
andypaicu@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

Content-Security-Policy connect-src 'self' disallows WSS connections from HTTPS pages

Reported by emil.fih...@gmail.com, Feb 23 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

Steps to reproduce the problem:
1. Send Content-Security-Policy -header with content connect-src 'self'
2. Attempt a websocket connection to origin with New WebSocket("wss://domain.tld")

What is the expected behavior?
Websocket connection is established successfully

What went wrong?
Websocket connection is prevented and console logs
Refused to connect to 'wss://domain.tld/uri' because it violates the following Content Security Policy directive: "connect-src 'self' *.domain.tld".

Did this work before? N/A 

Chrome version: 64.0.3282.186  Channel: stable
OS Version: 10.0
Flash Version: 

https://github.com/w3c/webappsec-csp/issues/7

Firefox connects without issues.

Comment 1 Deleted

Comment 2 by emil.fih...@gmail.com, Feb 23 2018 

Tag could be changed to Content or Network/Downloading

Comment 3 by elawrence@chromium.org, Feb 23 2018

Cc: andypaicu@chromium.org
Components: Blink>Network>WebSockets Blink>SecurityFeature>ContentSecurityPolicy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 4 by elawrence@chromium.org, Feb 23 2018 

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp?l=80&rcl=b4e4cdac0ba7bef73e7278dd11537d7e490148c6

The code in https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp?l=57&rcl=b4e4cdac0ba7bef73e7278dd11537d7e490148c6 allows "HTTPS" to match "HTTP" and "WSS" to match "WS" but doesn't seem to allow "WSS" to match "HTTPS", as alluded to in https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60 which says "Likewise, handling for `'self'` now includes `https:` and `wss:` on
the protected resource's host."

Comment 5 by elawrence@chromium.org, Feb 23 2018

Status: Untriaged (was: Unconfirmed)
Summary: Content-Security-Policy connect-src 'self' disallows WSS connections from HTTPS pages (was: 'self' in connect-src section in content security policy header disallows wss connections to origin)

Comment 6 by jochen@chromium.org, Feb 27 2018

Cc: mkwst@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac
Owner: andypaicu@chromium.org
Status: Assigned (was: Untriaged)

Comment 7 by jbeaud...@upstreamworks.com, Jul 26 

Still happens in Chrome v68.0.3440.75
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 17 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/15b59a4d4fe5524b5cb006747831aa1c47012e75

commit 15b59a4d4fe5524b5cb006747831aa1c47012e75
Author: Andy Paicu <andypaicu@chromium.org>
Date: Mon Sep 17 16:58:02 2018

Implemented the correct 'self' matching logic according to the spec

Spec: https://w3c.github.io/webappsec-csp/#match-url-to-source-expression

The 'self' matching logic is similar to the host/scheme-source expression
but different enough where it's causing issues because we're just
reusing the csp_source Matches logic.

This is incorrect as causes issues such as the related bug.

This CL covers:
* Added a new MatchesAsSelf function that is used for 'self' expression
matching
* Added unit tests for this function
* Added new test covering the scenario in the bug (wss scheme that matches
scheme)
* Drive-by fixes to some connect-src tests

There is similar work that needs to be done in the content/ CSP
but since I don't want to duplicate any feedback, I will wait until
this patch looks finalized.

Bug:  815142 
Change-Id: Ie1d6579e29b9d320e56fcdb556893c7675bd11b8
Reviewed-on: https://chromium-review.googlesource.com/1225570
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#591710}
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html
[add] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-websocket-self.sub.html
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/blink/renderer/core/frame/csp/csp_source.cc
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/blink/renderer/core/frame/csp/csp_source.h
[modify] https://crrev.com/15b59a4d4fe5524b5cb006747831aa1c47012e75/third_party/blink/renderer/core/frame/csp/csp_source_test.cc

Comment 9 by andypaicu@chromium.org, Sep 17

Status: Fixed (was: Assigned)

Sign in to add a comment