Implementer differences from Kevin Hill on 2014-10-30 (public-webappsec@w3.org from October 2014)

From: Kevin Hill <khill@microsoft.com>
Date: Thu, 30 Oct 2014 20:45:47 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <a87a9803cfe942588b2ce4fd1940c44c@SN2PR03MB031.namprd03.prod.outlook.com>

We think the test may be incorrect but we are seeing differences in implementations between FF and Chrome for the way blobs are treated.  We thought FF implemented correctly here according to the spec, but wanted to share this info with the group to see what you thought.  Mike, Dan?

Looking at results in the test suite for CSP 1.0
http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_2.php

Chrome:
Resource interpreted as Script but transferred with MIME type text/plain: "blob:http%3A//webappsec-test.info/d2a892d9-6544-4637-8529-050bc0e9421b". buildBlobEval.php:12
FireFox:
Content Security Policy: The page's settings blocked the loading of a resource at blob:4a222806-7fe4-48ad-9d07-802c016a3340 ("script-src http://webappsec-test.info http://www.webappsec-test.info").

http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_3.php
Chrome:
Refused to load the script 'blob:http%3A//webappsec-test.info/7bde08e7-5791-441c-b280-2472965453d3' because it violates the following Content Security Policy directive: "script-src blob: www.webappsec-test.info".
FireFox:
Fails both tests and allows the Eval-equivalent and Verify report contents.

Received on Thursday, 30 October 2014 20:46:17 UTC