Bug 153168 - CSP: Disallow an empty host in a host-source source expression
Summary: CSP: Disallow an empty host in a host-source source expression
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
Keywords: BlinkMergeCandidate, InRadar
Depends on:
Blocks: 153170
  Show dependency treegraph
Reported: 2016-01-15 18:10 PST by Daniel Bates
Modified: 2016-02-16 13:16 PST (History)
4 users (show)

See Also:

Patch (3.36 KB, patch)
2016-02-16 11:51 PST, Daniel Bates
bfulgham: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-01-15 18:10:04 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=180407>.

Disallow an empty host in a CSP host-source directive

Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard.

The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax

host-source       = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
host-part         = "*" / [ "*." ] 1*host-char *( "." 1*host-char )

As you can see, the host-part is NOT optional.
Comment 1 Radar WebKit Bug Importer 2016-01-27 20:59:42 PST
Comment 2 Daniel Bates 2016-02-16 11:51:04 PST
Created attachment 271461 [details]
Comment 3 Brent Fulgham 2016-02-16 12:28:32 PST
Comment on attachment 271461 [details]

Comment 4 Daniel Bates 2016-02-16 13:16:18 PST
Committed r196653: <http://trac.webkit.org/changeset/196653>