On Sun, Sep 27, 2015 at 11:46 PM, André N. Klingsheim < andre.klingsheim@owasp.org> wrote: > Webappsec people, > > > > I’m the maintainer of the NWebsec security header library for ASP.NET, > and an issue with CSP connect-src ‘self’ was recently brought to my > attention. Declaring the ‘self’ source will not allow websockets back to > the same host, I assume it’s because it’s not the same origin since the > scheme differs. Firefox and Chrome/Opera all behave the same, I’ve tested > them just now in their latest (stable) versions. > > Right. This is the specified behavior. > Would it make sense to allow same host websockets when declaring > connect-src ‘self’? I believe this would be intuitive CSP behaviour for > adopters of the header. One can easily get the impression that this is how > it works when reading the spec. > I think this is probably worth considering as a simplification for developers, though it complicates the model a little bit by changing an origin-based comparison into a host-based comparison. Locking it to schemes with the same security properties or better might be doable (e.g. 'self' on `http://example.com` could allow `ws://example.com` or `wss://example.com`, but 'self' on `https://example.com` would only allow `wss://example.com`. *shrug* Worth thinking about for CSP3. File a bug? https://github.com/w3c/webappsec/issues/new?title=CSP:%20 -mikeReceived on Monday, 28 September 2015 13:44:39 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC