RESOLVED FIXED Bug 153168
CSP: Disallow an empty host in a host-source source expression 
https://bugs.webkit.org/show_bug.cgi?id=153168
Summary CSP: Disallow an empty host in a host-source source expression
Daniel Bates
Reported 2016-01-15 18:10:04 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=180407>. Disallow an empty host in a CSP host-source directive Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard. The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ] host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char ) As you can see, the host-part is NOT optional.
Attachments
Patch (3.36 KB, patch)
2016-02-16 11:51 PST, Daniel Bates 		bfulgham: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-01-27 20:59:42 PST
<rdar://problem/24383366>
Daniel Bates
Comment 2 2016-02-16 11:51:04 PST
Created attachment 271461 [details] Patch
Brent Fulgham
Comment 3 2016-02-16 12:28:32 PST
Comment on attachment 271461 [details] Patch r=me.
Daniel Bates
Comment 4 2016-02-16 13:16:18 PST
Committed r196653: <http://trac.webkit.org/changeset/196653>
Note You need to log in before you can comment on or make changes to this bug.