W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Implementer differences

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 30 Oct 2014 15:09:57 -0700
Message-ID: <CAEeYn8g15VZoTLyCLVHsh7myGD+2uKGs0DwVO3vqdeUQKxou0g@mail.gmail.com>
To: Kevin Hill <khill@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
This test is incorrect!  Or, rather, it tests behavior that was
under-specified in CSP 1.0 and where implementations differed. It does
not test the correctly specified CSP Level 2 behavior. (in which blob:
must be explicitly listed as a scheme source and is not matched by *)

BTW:  I *really* need to update my site, but that test suite is
DEPRECATED.  The new one is at:

http://w3c-test.org/tools/runner/index.html?path=/content-security-policy

:)

On Thu, Oct 30, 2014 at 1:45 PM, Kevin Hill <khill@microsoft.com> wrote:
> We think the test may be incorrect but we are seeing differences in
> implementations between FF and Chrome for the way blobs are treated.  We
> thought FF implemented correctly here according to the spec, but wanted to
> share this info with the group to see what you thought.  Mike, Dan?
>
>
>
> Looking at results in the test suite for CSP 1.0
>
> http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_2.php
>
>
>
> Chrome:
>
> Resource interpreted as Script but transferred with MIME type text/plain:
> "blob:http%3A//webappsec-test.info/d2a892d9-6544-4637-8529-050bc0e9421b".
> buildBlobEval.php:12
>
> FireFox:
>
> Content Security Policy: The page's settings blocked the loading of a
> resource at blob:4a222806-7fe4-48ad-9d07-802c016a3340 ("script-src
> http://webappsec-test.info http://www.webappsec-test.info").
>
>
>
> http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_3.php
>
> Chrome:
>
> Refused to load the script
> 'blob:http%3A//webappsec-test.info/7bde08e7-5791-441c-b280-2472965453d3'
> because it violates the following Content Security Policy directive:
> "script-src blob: www.webappsec-test.info".
>
> FireFox:
>
> Fails both tests and allows the Eval-equivalent and Verify report contents.
Received on Thursday, 30 October 2014 22:10:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC