While reading through the Formal Policy Syntax of the CSP, it occurred to me
that the meaning of "allow *" might be confusing. The wildcard seems to
correspond to a hostname only, and not to a scheme or port.
<source> ::= "'self'"
| <scheme><host><port>
<scheme> ::= <empty>
| <scheme-name>":"
| <scheme-name>":/"
| <scheme-name>"://"
<scheme-name> ::= <alpha><scheme-suffix>
<host> ::= <empty>
| <host-name>
<host-name> ::= "*"
| <ldh-str>
| <host-name>"."<ldh-str>
<port> ::= <empty>
| ":*"
| ":"<integer>
In the case where source is "*", the above syntax would imply that <scheme>
is <empty>, <host> is "*", and <port> is <empty>. And, according to the
CSP, when a scheme or port isn't specified, it defaults to the same scheme
and default port of the originating resource.
https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List
Source expressions may also specify a scheme and/or port. If the scheme is
not specified as part of the source expression it defaults to the same
scheme as the protected document. If a port is not specified as the source
expression, the port used for the source is the default port for the
source's scheme (whether it is inherited or explicitly specified in the
source expression).
However, the examples (
https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions) paint
a different picture. Example #2, in particular, says that
X-Content-Security-Policy: allow 'self'; img-src *; ...
will allow an image "from anywhere". However, my reading of the syntax is
that it will only allow images from the same scheme and default port. (for
example, an HTTP page couldn't include an image from an HTTPS source)
1) Is my reading of "allow *" correct?
2) How does one specify a wildcard for any protocol?
The syntax
allow *://*:*
does not seem to be allowed by the formal specification.
-- Nick
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
