RE: Implementer differences from Kevin Hill on 2014-10-31 (public-webappsec@w3.org from October 2014)

From: Kevin Hill <khill@microsoft.com>
Date: Fri, 31 Oct 2014 13:48:01 +0000
To: Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <a894f3f95c104d378e2ced5b7075e5ed@SN2PR03MB031.namprd03.prod.outlook.com>

Yup we know the test is incorrect, I was just using it (even in its incorrectness) to show the current behavior differences.

Looking to Dan/Mike to understand the difference better.

-----Original Message-----
From: Brad Hill [mailto:hillbrad@gmail.com] 
Sent: Thursday, October 30, 2014 3:10 PM
To: Kevin Hill
Cc: public-webappsec@w3.org
Subject: Re: Implementer differences

This test is incorrect!  Or, rather, it tests behavior that was under-specified in CSP 1.0 and where implementations differed. It does not test the correctly specified CSP Level 2 behavior. (in which blob:
must be explicitly listed as a scheme source and is not matched by *)

BTW:  I *really* need to update my site, but that test suite is DEPRECATED.  The new one is at:

http://w3c-test.org/tools/runner/index.html?path=/content-security-policy


:)

On Thu, Oct 30, 2014 at 1:45 PM, Kevin Hill <khill@microsoft.com> wrote:
> We think the test may be incorrect but we are seeing differences in 
> implementations between FF and Chrome for the way blobs are treated.  
> We thought FF implemented correctly here according to the spec, but 
> wanted to share this info with the group to see what you thought.  Mike, Dan?
>
>
>
> Looking at results in the test suite for CSP 1.0
>
> http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_

> 2.php
>
>
>
> Chrome:
>
> Resource interpreted as Script but transferred with MIME type text/plain:
> "blob:http%3A//webappsec-test.info/d2a892d9-6544-4637-8529-050bc0e9421b".
> buildBlobEval.php:12
>
> FireFox:
>
> Content Security Policy: The page's settings blocked the loading of a 
> resource at blob:4a222806-7fe4-48ad-9d07-802c016a3340 ("script-src 
> http://webappsec-test.info http://www.webappsec-test.info").
>
>
>
> http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_
> 3.php
>
> Chrome:
>
> Refused to load the script
> 'blob:http%3A//webappsec-test.info/7bde08e7-5791-441c-b280-2472965453d3'
> because it violates the following Content Security Policy directive:
> "script-src blob: www.webappsec-test.info".
>
> FireFox:
>
> Fails both tests and allows the Eval-equivalent and Verify report contents.

Received on Friday, 31 October 2014 13:48:35 UTC