New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 882145 link

Starred by 2 users

Issue metadata

Status: Assigned
Owner:
Last visit > 30 days ago
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Content Security Policy uses case-sensitive domains

Reported by da...@niceguyit.biz, Sep 8

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce the problem:
1. Install WordPress on a domain with HTTPS. This can be reproduced with WordPress 4.9.8.
2. Login as the admin and go to Settings > General and change the domain to MixedCase. When saving the settings, it may ask you to login again.
3. In the admin, go to Appearance > Customize.
4. The frame showing the page will be blank. 

What is the expected behavior?
The frame should show the web page to customize.

What went wrong?
The console logs the following error.

Refused to display 'https://niceguyit.biz/?customize_changeset_uuid=00000000-0000-0000-0000-000000000000&customize_theme=enigma-niceguyit&customize_messenger_channel=preview-0' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://NiceGuyIT.biz".

Notice the case difference between the request and the frame-ancestors directive. To test the case sensitivity, in WordPress go to Settings > General and change the "WordPress Address (URL)" to all lowercase and now the frame will show the web page.

Firefox beta 63.0b4 shows the following and the frame is displayed.
Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 69.0.3497.81  Channel: stable
OS Version: openSUSE Leap 15.0
Flash Version: 

The component selection above only has 2 levels, not 3 levels. I believe this belongs in Blink>SecurityFeature>ContentSecurityPolicy.

In case this relies on other policies (i.e. x-frame-options), I've included the headers as shown in the developers tools. Some information has been sanitized.

General
=======
Request URL: https://niceguyit.biz/?customize_changeset_uuid=00000000-0000-0000-0000-000000000000&customize_theme=enigma-niceguyit&customize_messenger_channel=preview-0
Request Method: GET
Status Code: 200 
Remote Address: 000.000.000.000:443
Referrer Policy: strict-origin-when-cross-origin

Response Headers
================
cache-control: no-cache, must-revalidate, max-age=0
content-security-policy: frame-ancestors https://NiceGuyIT.biz
content-type: text/html; charset=UTF-8
date: Sat, 08 Sep 2018 14:57:17 GMT
expires: Wed, 11 Jan 1984 05:00:00 GMT
link: <https://NiceGuyIT.biz/>; rel=shortlink
link: <https://NiceGuyIT.biz/wp-json/>; rel="https://api.w.org/"
pragma: no-cache
server: nginx/1.15.2
status: 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: Accept-Encoding, Cookie
x-content-type-options: nosniff
x-frame-options: ALLOW-FROM https://NiceGuyIT.biz/wp-admin/customize.php
x-frame-options: SAMEORIGIN
x-powered-by: PHP/7.2.9
x-robots: noindex, nofollow, noarchive
x-xss-protection: 1; mode=block

Request Headers
===============
:authority: niceguyit.biz
:method: GET
:path: /?customize_changeset_uuid=00000000-0000-0000-0000-000000000000&customize_theme=enigma-niceguyit&customize_messenger_channel=preview-0
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
cookie: PHPSESSID=00000000000000000000000000000000; wordpress_google_apps_login=00000000000000000000000000000000; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_00000000000000000000000000000000=aaaaaaaaa%000000000000%000000000000000000000000000000000000000000000%000000000000000000000000000000000000000000000000000000000000000000; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1536418617
dnt: 1
pragma: no-cache
referer: https://niceguyit.biz/wp-admin/customize.php?return=%2Fwp-admin%2F
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36

Query String Parameters
=======================
customize_changeset_uuid: 00000000-0000-0000-0000-000000000000
customize_theme: enigma-niceguyit
customize_messenger_channel: preview-0
 
The New issue wizard shows the Channel next to Operating system and Version like so. I took it to mean as the channel of the OS since the chrome channel can be derived from the version.

[Chrome version]
[Operating system]  [Version]  [Channel]
[Flash version]

This bug also exists in Google Chrome version 70.0.3538.9.
Labels: Needs-Triage-M69
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)

Sign in to add a comment