- From: Brad Hill <hillbrad@gmail.com>
- Date: Thu, 30 Oct 2014 15:09:57 -0700
- To: Kevin Hill <khill@microsoft.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
This test is incorrect! Or, rather, it tests behavior that was
under-specified in CSP 1.0 and where implementations differed. It does
not test the correctly specified CSP Level 2 behavior. (in which blob:
must be explicitly listed as a scheme source and is not matched by *)
BTW: I *really* need to update my site, but that test suite is
DEPRECATED. The new one is at:
http://w3c-test.org/tools/runner/index.html?path=/content-security-policy
:)
On Thu, Oct 30, 2014 at 1:45 PM, Kevin Hill <khill@microsoft.com> wrote:
> We think the test may be incorrect but we are seeing differences in
> implementations between FF and Chrome for the way blobs are treated. We
> thought FF implemented correctly here according to the spec, but wanted to
> share this info with the group to see what you thought. Mike, Dan?
>
>
>
> Looking at results in the test suite for CSP 1.0
>
> http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_2.php
>
>
>
> Chrome:
>
> Resource interpreted as Script but transferred with MIME type text/plain:
> "blob:http%3A//webappsec-test.info/d2a892d9-6544-4637-8529-050bc0e9421b".
> buildBlobEval.php:12
>
> FireFox:
>
> Content Security Policy: The page's settings blocked the loading of a
> resource at blob:4a222806-7fe4-48ad-9d07-802c016a3340 ("script-src
> http://webappsec-test.info http://www.webappsec-test.info").
>
>
>
> http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_3.php
>
> Chrome:
>
> Refused to load the script
> 'blob:http%3A//webappsec-test.info/7bde08e7-5791-441c-b280-2472965453d3'
> because it violates the following Content Security Policy directive:
> "script-src blob: www.webappsec-test.info".
>
> FireFox:
>
> Fails both tests and allows the Eval-equivalent and Verify report contents.
Received on Thursday, 30 October 2014 22:10:24 UTC