- From: Mike West <mkwst@google.com>
- Date: Mon, 28 Sep 2015 15:43:50 +0200
- To: André N. Klingsheim <andre.klingsheim@owasp.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=d_uX3orJZXvMBPERzbKm9ZqmkNxgXfv8KWnzMMBrUBEg@mail.gmail.com>
On Sun, Sep 27, 2015 at 11:46 PM, André N. Klingsheim < andre.klingsheim@owasp.org> wrote: > Webappsec people, > > > > I’m the maintainer of the NWebsec security header library for ASP.NET, > and an issue with CSP connect-src ‘self’ was recently brought to my > attention. Declaring the ‘self’ source will not allow websockets back to > the same host, I assume it’s because it’s not the same origin since the > scheme differs. Firefox and Chrome/Opera all behave the same, I’ve tested > them just now in their latest (stable) versions. > > Right. This is the specified behavior. > Would it make sense to allow same host websockets when declaring > connect-src ‘self’? I believe this would be intuitive CSP behaviour for > adopters of the header. One can easily get the impression that this is how > it works when reading the spec. > I think this is probably worth considering as a simplification for developers, though it complicates the model a little bit by changing an origin-based comparison into a host-based comparison. Locking it to schemes with the same security properties or better might be doable (e.g. 'self' on `http://example.com` could allow `ws://example.com` or `wss://example.com`, but 'self' on `https://example.com` would only allow `wss://example.com`. *shrug* Worth thinking about for CSP3. File a bug? https://github.com/w3c/webappsec/issues/new?title=CSP:%20 -mike
Received on Monday, 28 September 2015 13:44:39 UTC