W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [CSP2] connect-src 'self' and websockets

From: Mike West <mkwst@google.com>
Date: Mon, 28 Sep 2015 15:43:50 +0200
Message-ID: <CAKXHy=d_uX3orJZXvMBPERzbKm9ZqmkNxgXfv8KWnzMMBrUBEg@mail.gmail.com>
To: André N. Klingsheim <andre.klingsheim@owasp.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Sep 27, 2015 at 11:46 PM, André N. Klingsheim <
andre.klingsheim@owasp.org> wrote:

> Webappsec people,
>
>
>
> I’m the maintainer of the NWebsec security header library for ASP.NET,
> and an issue with CSP connect-src ‘self’ was recently brought to my
> attention. Declaring the ‘self’ source will not allow websockets back to
> the same host, I assume it’s because it’s not the same origin since the
> scheme differs. Firefox and Chrome/Opera all behave the same, I’ve tested
> them just now in their latest (stable) versions.
>
>
Right. This is the specified behavior.


> Would it make sense to allow same host websockets when declaring
> connect-src ‘self’? I believe this would be intuitive CSP  behaviour for
> adopters of the header. One can easily get the impression that this is how
> it works when reading the spec.
>

I think this is probably worth considering as a simplification for
developers, though it complicates the model a little bit by changing an
origin-based comparison into a host-based comparison. Locking it to schemes
with the same security properties or better might be doable (e.g. 'self' on
`http://example.com` could allow `ws://example.com` or `wss://example.com`,
but 'self' on `https://example.com` would only allow `wss://example.com`.

*shrug* Worth thinking about for CSP3. File a bug?
https://github.com/w3c/webappsec/issues/new?title=CSP:%20

-mike
Received on Monday, 28 September 2015 13:44:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC