Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of 'self' is unclear when inheriting CSP to local scheme #248

Closed
shhnjk opened this issue Oct 4, 2017 · 9 comments
Closed

Handling of 'self' is unclear when inheriting CSP to local scheme #248

shhnjk opened this issue Oct 4, 2017 · 9 comments

Comments

@shhnjk
Copy link
Member

shhnjk commented Oct 4, 2017
edited

Spec requires inheriting CSP to local-scheme.
https://w3c.github.io/webappsec-csp/#initialize-document-csp

But it is not clear how to handle 'self' in this case.

PoC
https://test.shhnjk.com/local_scheme.html

Chrome takes 'self' as local-scheme itself. Where Firefox takes 'self' as embedding document's origin.
@annevk
Copy link
Member

annevk commented Oct 4, 2017

cc @ckerschb

@andypaicu
Copy link
Collaborator

andypaicu commented Oct 13, 2017
edited

I think if you were to follow the spec to the letter currently, the Chrome behavior is correct because the 'self' keyword only gets handled in here: https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. This means that aliasing the policy won't magically keep 'self' locked to the embedder meaning of 'self'. I think Firefox actually expands 'self' into the origin when parsing the policy which would explain the different behaviour.

Edit: updating link to one that isn't pointing at my local file...

@annevk
Copy link
Member

annevk commented Oct 13, 2017

Yeah indeed, since a data: URL always computes to an opaque origin it can never be the same as that origin variable.

One arguably editorial bug here is that "same" is not a reference to "same origin". Definitely editorial is the inconsistent usage of trailing dots.

@annevk
Copy link
Member

annevk commented Oct 13, 2017

It would be good to have this covered in the test suite (and would also be good to have a bug against Firefox if none is filed already).

@shhnjk
Copy link
Member Author

shhnjk commented Oct 24, 2017

Bug filed for Firefox.
https://bugzilla.mozilla.org/show_bug.cgi?id=1410754

@shhnjk shhnjk mentioned this issue Oct 27, 2017
Closed
@dveditz
Copy link
Member

dveditz commented Oct 31, 2017

An opaque origin doesn't even match itself, so if you interpret 'self' as meaning the data URL then it's a completely pointless directive in a data: url's CSP

By analogy, in a sandboxed iframe (effective origin is opaque) we still resolve relative URLs relative to the creating document. That's what Firefox is doing with our interpretation of 'self' and it's hard to see how that's wrong. At the very least it seems useful.

@shhnjk
Copy link
Member Author

shhnjk commented Oct 31, 2017
edited

That's right. This is why I've opened issue 259 and 260.

@ckerschb
Copy link

ckerschb commented Nov 2, 2017

"To answer this question: I think Firefox actually expands 'self' into the origin when parsing the policy which would explain the different behaviour."

That's correct, by the time the CSP Parser evaluates 'self' (within Firefox) it gets translated into the protected document's origin. If then that CSP gets inherited into a data: URI iframe, then the iframe inherits a CSP with the parent's protected document URI as 'self'.

@andypaicu
Copy link
Collaborator

#362

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dveditz @ckerschb @annevk @shhnjk @andypaicu