While reading through the Formal Policy Syntax of the CSP, it occurred to me that the meaning of "allow *" might be confusing. The wildcard seems to correspond to a hostname only, and not to a scheme or port.
<source> ::= "'self'" | <scheme><host><port> <scheme> ::= <empty> | <scheme-name>":" | <scheme-name>":/" | <scheme-name>"://" <scheme-name> ::= <alpha><scheme-suffix> <host> ::= <empty> | <host-name> <host-name> ::= "*" | <ldh-str> | <host-name>"."<ldh-str> <port> ::= <empty> | ":*" | ":"<integer> In the case where source is "*", the above syntax would imply that <scheme> is <empty>, <host> is "*", and <port> is <empty>. And, according to the CSP, when a scheme or port isn't specified, it defaults to the same scheme and default port of the originating resource. https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List Source expressions may also specify a scheme and/or port. If the scheme is not specified as part of the source expression it defaults to the same scheme as the protected document. If a port is not specified as the source expression, the port used for the source is the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression). However, the examples ( https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions) paint a different picture. Example #2, in particular, says that X-Content-Security-Policy: allow 'self'; img-src *; ... will allow an image "from anywhere". However, my reading of the syntax is that it will only allow images from the same scheme and default port. (for example, an HTTP page couldn't include an image from an HTTPS source) 1) Is my reading of "allow *" correct? 2) How does one specify a wildcard for any protocol? The syntax allow *://*:* does not seem to be allowed by the formal specification. -- Nick _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security